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Preface 


This document was generated in support of NASA contract NAS1-18586, Design and Verification of 
Digital Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 3. Task 3 is 
associated with formal verification of embedded systems. In particular, this document describes the 
verification of a set of memory management units (MMU). The verification effort demonstrates the use of 
hierarchical decomposition and abstract theories. The MMUs can be organized into a complexity hierarchy. 
Each new level in the hierarchy adds a few significant features or modifications to the lower level MMU. 

The units described included: 

a- A page check translation look-aside module (TLM). 

b. A page check TLM with supervisor line. 

c. A base and bounds MMU. 

d. A virtual address translation MMU. 

e. A virtual address translation MMU with memory resident segment table. 

Tire NASA technical monitor for this work is Sally C. Johnson of the NASA Langley Research Center, 
Hampton, Virginia. 
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D. Gangsaas, Responsible Manager 
T. M. Richardson, Program Manager 
G. C. Cohen, Principal Investigator 

University of California: 

Dr. K. Levitt, Chief Researcher 
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1.0 INTRODUCTION 


This report describes the verification of a set of memory management units (MMU). The 
specification and verification were done using the HOL verification system (ref. 1). The MMUs 
can be organized into a complexity hierarchy. Each new level in the hierarchy adds a few significant 
features or modifications to the lower level MMU. The units described include: 

a. A page check TLM (translation look-aside module). 

b. A page check TLM with supervisor line. 

c. A base and bounds MMU. 

d. A virtual address translation MMU. 

e. A virtual address translation MMU with memory resident segment table. 

life-critical systems are becoming increasingly dependent on computer systems. Though re- 
dundant components in fault-tolerant systems increase reliability, these systems do not exclude 
errors due to specification or implementation flaws. Building reliable systems out of unreliable 
components does not guarantee a safe and secure system. Faults resulting from design errors are 
especially difficult to protect against and can compromise critical functionality (ref. 2). While sim- 
ulation may discover the presence of errors, it cannot guarantee the absence of errors. Hardware 
verification can be used to uncover all inconsistencies between a mathematical model of the imple- 
mentation and the formal specification. Hunt suggests that it is faster to verify a microprocessor 
design than to exhaustively test one (ref. 3). 

Hardware verification requires that a system design is formally shown to satisfy its specification 
through a mathematical proof. Using theorem proving techniques, an expression describing the 
behavior of a device is proven to be equivalent in some sense to an expression describing the 
implementation structure of the device. These expressions concisely describe the behavior of devices 
in an unambiguous way. The behavioral semantics are clearly defined; providing an accurate basis 

for building systems (ref. 4). 

1.1 MEMORY MANAGEMENT 

The principle purpose of an operating system is to manage system resources. Perhaps the most 
fundamental resource is main memory. On behalf of a program, the operating system allocates 
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a section of main memory to load the program into before execution. During execution, the 
operating system will handle dynamic requests for additional memory. Sophisticated operating 
systems also support additional memory management capabilities including security and virtual 
memory functions. 

As a minimal security function, the operating system must ensure process noninterference. 
p.»ft process expects that its space will not be modified or read by other processes. Further, 
different portions of a process can be tagged as readable, writable, executable, or a combination of 
the three. 

Most machin es have a physical memory address space that is much smaller than the address 
space the processor can address. For example, a 32-bit processor may be capable of addressing 4 
gigab ytes of memory (2 32 ) while the machine only has 16 megabytes of actual main memory (2 24 ). 
When several programs are executing, each may expect access to the entire address space. Virtual 
memory allows the entire address space to appear available to each process. 

Left to software alone, security and virtual memory capabilities cannot be completely provided. 
The functions demand hardware support. These functions may be present as part of the central 
processing nnit (CPU) or as a separate chip. The MMU acts as a filter between the CPU and 
memory (see Figure 1.1-1). 

For each CPU memory request, the MMU determines whether the request will violate security 
constraints. If virtual memory support is also provided, the MMU will translate a request from 
a virtual to a real location. When the virtual location does not map to a location presently in 
memory, the MMU will inform the CPU that a “fault” has occurred. 

Security and virtual memory attributes are defined for blocks of contiguous memory. Access to 
each block can be restricted to be a combination of read, write, or execute permissions. In systems 
where all blocks axe a fixed size, the blocks are referred to as “pages”. When the blocks may be of 
varying size they are referred to as “segments”. In many systems both types of objects are present. 
Segments consist of a varying number of pages. Protection attributes are established on a segment 
baric and the real address of a memory word is specified on a page basis. 

Simple MMUs expect the information for each block to be written to MMU registers (for 
example, PDP-11). More sophisticated MMUs will acce66 memory resident tables to ascertain a 
block’s status (for example, Intel 80286, 80386 and Motorola 68851). Also a fully functional MMU 
would utilize a cache to speed up these table accesses. Process management functions are also 
frequently present. The operating system is responsible for setting up the tables and can construct 
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a distinct table for each process. 


1.2 INTEGRATION 

The MMU must be designed to work with other processors in a cooperative manner. The MMU 
must be respondent to the actions of other processors. The CPU and MMU have a codependent 
relationship. The MMU must know the process id (supervisor or user process), the kind of request 
(instruction fetch or data fetch), as well as whether the request is a read, write, or execute. 

MMU exceptions (bad address, segment fault, page fault, invalid access type) are distinct from 
interrupts. The CPU must be prepared to handle an MMU exception during the execution of an 
instruction (as opposed to the standard interrupt mechanism where interrupts are handled only 
after the end of an executing instruction). 

If the CPU performs prefetch, it is possible that the prefetch mechanism will inadvertently 
fetch an address that would never be executed (due to some sort of jump preceding the execution 
of this “instruction”). If the MMU generates one of the possible exceptions mentioned above, the 
CPU must postpone processing the exception until the offending value i6 actually used. 
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The MMU mast also provide a means for the CPU to perform any operation regardless of 
possible exceptions. For example, when an external interrupt occurs, the CPU must be able to 
save the return address on a stack. 

MMU’s can also extend a CPU’s instruction set. Instructions to flush its cache, search or 
load a translation table entry, or test the access rights of a process may be provided. To support 
opera ting system memory management, the MMU may also be responsible for setting a dirty bit 
within a page descriptor when the page has been modified. 

The MMU must be responsive to other devices as well. For example, the activity of a direct 
memory a*** - *” uni t (DMA) can invalidate MMU cache entries. Either the MMU must watch the 
bus traffic or a mechanism must be available to the CPU to invalidate cached entries. 

1.3 VERIFIED MEMORY MANAGEMENT UNITS 

TVh of the MMUs are constructed from a combination of gates, registers and word comparison 
units. The gates and registers were available from previous work; however, the word comparison 
units were designed and verified for this effort. 

The simplest MMU combines a register with a word comparison unit. Addresses from a system 
bus can be stored in the register or compared with the register’s value. An acknowledgment signal 
is returned to indicate whether or not the address matched the register value. Because the word 
comparison unit provides result output lines to indicate if the first of two inputs is greater than, 
less than, or equal to the other, the MMU could be trivially changed to return a different result. 

While this MMU is primitive, it provides sufficient hardware support for a segmented or paged 
memory by combining several units and providing each with a distinct part of the address. 

For minimal security, the next MMU uses input from a supervisor line. When the supervisor 
line is high, the MMU operates in supervisor mode. A new register value can only be stored when 
the MMU is in supervisor mode. Also, all accesses are authorized when in supervisor mode. 

The base and bounds MMU adds two significant enhancements. First, the register is addressed 
as a memory location. When the supervisor line is high, the address bus value matches the register’s 
predefined address, and the write line is high; the MMU will store the value on the data bus in its 
register. Also, the MMU logically divides each address into two parts: a page and an offset. The 
register value is divided in the same manner. For the MMU to validate a memory address, the page 
address must match with the stored page component and the offset must be less than or equal to 
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the stored bounds component. 

The next MMU adds user mode virtual address translation. System information pertaining 
to both segment and offset validation and virtual address translation is maintained in a pair of 
registers. These registers ran only be accessed when the MMU is operating in supervisor mode. 

The last MMU validates CPU memory requests based on a memory resident segment table. 
Each segment-specific entry in the table defines the segment’s availability, read- write-execute access 
rights, segment size, and real address location in memory. 

The addition of these features reduces the amount of operating system software support. By 
developing a sophisticated MMU in steps, the construction of the final proof is much more tractable. 

In the sections that follow, we briefly describe the HOL theorem prover. Then, we describe 
the above devices and several auxiliary theories developed to support their verification. The final 
section is a description of future work, including composing the MMU with a cache. 


1.4 RELATED WORK 

Neumann proposes a unified hierarchy that accomodates all critical requirements (ref. 5). Respon- 
sibility to satisfy each requirement can then be delegated to an appropriate layer of the design. 
The layers remain interdependent; the more abstract layers relying on the correctness of the lower 
levels. Formal proofs about the hardware level discharge some of the assumptions made by higher, 
software levels. Similarly, hardware level proofs often make assumptions about the behavior of the 
software that are discharged when the level is composed (ref. 6). 

There has been significant interest in formal verification as an alternative to simulation (refs. 7, 
8, 9 and 10). Hardware verification efforts thus far have focused primarily on a microprocessor as 
the base for computer systems (refs. 3, 11, 12 and 13). 

Perhaps the best known verification effort is that of the VIPER microprocessor (refs. 11, 14 
and 15). VIPER is the first microprocessor intended for commercial distribution where a formal 
verification has been attempted. However, these processors are quite limited. Only Joyce’s mi- 
croprocessor, Tamarack-3, provides interrupts, and none provide memory management functions 
necessary to support a secure operating system. 

Previous efforts to verify systems have included construction of vertically verified systems with 
a microprocessor/memory as the system’s base. Joyce has specified and verified a compiler for the 
verified Tamarack-3 microprocessor (ref. 16). 
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Computational Lope Inc. has attempted to verify a “stack” of interpreters where the imple- 
mentation of a level is the specification of the next lower level (ref. 4). In this way, higher levels 
of the stack define new functionality by collecting the next lower level’s functionality. The stack 
consists of a compiler (Micro-Gypsy), an assembler and linking loader, an operating system, and a 
microprocessor. 

Bevier has verified a simple operating system (KIT), which ensures that tasks are isolated 
from one another. Implementation of the hardware base has not been verified (refs. 17 and 18). 
He assumes extensions to the FM8502 microprocessor to provide interrupts, asynchronous I/O, 
memory management, and supervisor-mode instructions. 


1.S HOL 

HOL is a general theorem proving system developed at the University of Cambridge (refs. 1 and 
19) that is based on Church’s theory of simple types, or higher order logic (ref. 20). Church 
developed higher order logic as a foundation for mathematics, but it can be used for describing 
and reasoning about computational systems of all kinds. Higher order logic i6 similar to the more 
familiar predicate logic, but allows quantification over predicates and functions, not just variables, 
allowing more general systems to be described. 

HOL grew out of Robin Milner’s LCF theorem prover (ref. 21) and is similar to other LCF 
progeny such as NUPRL (ref. 22). Because HOL is the theorem proving environment used in the 
body of this work, we will describe it in more detail. 

HOL’s proof style can be tailored to the individual user, but most users find it convenient to 
work in a goal-directed fashion. HOL is a tactic based theorem prover. A tactic breaks a goal into 
one or more subgoals and provides a justification for the goal reduction in the form of an inference 
rule. Tactics perform tasks such as induction, rewriting, and case analysis. At the same time, 
HOL allows forward inference and many proofs are a combination of both forward and backward 
proof styles. Any theorem proving strategy a user employs in connection with HOL is checked for 
soun dn ess, eliminating the possibility of incorrect proofs. 

HOL provides a metalanguage, ML, for programming and extending the theorem prover. Using 
ML, tactics can be put together to form more powerful tactics, new tactics can be written, and 
theorems can be combined into new theories for later use. The metalanguage makes the HOL 
verification system extremely flexible. 
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In HOL, all proofs, even tactic-based proofs, are eventually reduced to the application of 
inference rules. Most nontrivial proofs require large numbers of inferences. Proofs of large devices 
such as microprocessors can take many millions of inference steps. In a proof containing millions 
of steps, what kind of confidence do we have that the proof is correct? One of the most important 
features of HOL is that it is secure, meaning that new theorems can only be created in a controlled 
manner. HOL is based on five primitive axioms and eight primitive inference rules. All high-level 
inference rules and tactics do their work through some combination of the primitive inference rules. 
Because the entire proof can be reduced to one using only right primitive inference rules and five 
primitive axioms, an independent proof-checking program could check the proof syntactically. 

1.5.1 THE LANGUAGE. 

The object language of HOL is described in this section. We will discuss HOL’s terms and types. 

Tferms. All HOL expressions are made up of terms. There are four kinds of terms in HOL: 
variables, constants, function applications, and abstractions (lambda expressions). Variables and 
constants are denoted by any sequence of letters, digits, underlines, and primes starting with a 
letter. Constants are distinguished in the logic; any identifier that is not a distinguished constant 
Is ta ken to be a variable. Constants and variables can have any finite arity, not just 0, and, thus, 
fATi represent functions as well. 

Function application is denoted by juxtaposition, resulting in a prefix syntax. Thus, a term of 
the form "tl t2" is an application of the operator tl to the operand t2. The term’s value is the 

result of applying tl to t2. 

An abstraction denotes a function and has the form "A x. t". An abstraction "A x. t" has 
two parts: the bound variable x and the body of the abstraction t. It represents a function, f , 
such that "f (x) - t". For example, "A y. 2*y" denotes a function on numbers which doubles its 

argument. 

Constants can belong to two special syntactic classes. Constants of arity 2 can be declared 
to be infix. Infix operators are written "randl op rand2" instead of in the usual prefix form: 
"op randl rand2". Table 1.5-1 shows several of HOL’s built-in infix operators. 

Constants can also belong to another special class called binders. A familiar example of a 
binder is V. If c is a binder, then the term "c x.t" (where x is a variable) is written as shorthand 
for the term "c(A x. t)". Table 1.5-2 shows several of HOL’s built-in binders. 
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Table 1.5-1: EOL . 

r nfix Operators 

Operator 

Application 

Meaning 

m 

tl ■ t2 

tl equals t2 

9 

tl,t2 

the pair tl and t2 

A 

tl A t2 

tl and t2 

V 

tl V t2 

tl or t2 

=> 

tl =» t2 

tl implies t2 


Table 1.5-S: EOL Binders 


Binder 

Application 

Meaning 

V 

V x. t 

for all x, t 

3 

** 

M 

m 

there exists an x such that t 

£ 

£ X. t 

choose an x such that t is true 


In addition to the infix constants and binders, HOL has a conditional statement that is written 
a -» b | c, meaning “if a, then b, else c.” 

Types. HOL is strongly typed to avoid Russell’s paradox and others like it. Russell’s paradox 
occurs in a high order logic when one can define a predicate that leads to a contradiction. Specif- 
ically, suppose that we define P as P(x) « -ix(x) where -> denotes negation. P is true when its 
argument applied to itself is false. Applying P to itself leads to a contradiction since P (P) ■ -iP(P) 
(i.e. , true = false). This kind of paradox can be prevented by typing since, in a typed system, 
the type of P would never allow it to be applied to itself. 

Every term in HOL is typed according to the following recursive rules: 

a. Each constant or variable has a fixed type. 

b. If x has type a and t has type 0, the abstraction A x. t has the type (a — ► 0). 

c. If t has the type (a — * 0) and u has the type a, the application t u has the type 0. 

Types in HOL are built from type variables and type operators. Type variables are denoted by 
a sequence of asterisks (*) followed by a (possibly empty) sequence of letters and digits. Thus, *, 
***, and *ab2 are all valid type variables. All type variables are universally quantified implicitly, 
yielding type polymorphic expressions. 

Type operators construct new types from existing types. Each type operator has a name 
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Table J.5-5: HOL 7Vpt Operators 


Operator 

Arity 

Meaning 

bool 

0 

booleans 

ind 

0 

individuals 

nua 

0 

natural numbers 

(*)list 

1 

lists of type * 

(*.**)prod 

2 

products of ♦ and ** 

(*,**)sum 

2 

coproducts of * and ♦♦ 

(*,**)fun 

2 

functions from * to *♦ 


(denoted by & sequence of letters and digits beginning with a letter) and an arity. If <j \ , . . . , <r„ are 
types and op is a type operator of arity n, then (oi,. . .,<7„)op is a type. Note that type operators 
are postfix while normal function application is prefix or infix. A type operator of anty 0 is a type 
constant. 

HOL has several built-in types, which are listed in Table 1.5-3. The type operators bool, 
ind, and fun are primitive. HOL has a special syntax that allows (*,**)prod to be written 
as (* f **), (* ,**)sum to be written as (* ♦ **), and (*,**)fun to be written as (* *> **)• 


1.5.2 THE PROOF SYSTEM. 

HOL is not an automated theorem prover but is more than simply a proof checker, falling somewhere 
between these two extremes. HOL has several features that contribute to its use as a verification 

environment: 

a. Several built-in theories, including booleans, individuals, numbers, products, sums, lists, and 
trees. These theories contain the five axioms that form the basis of higher order logic as well 
ji P a large number of theorems that follow from them. 

b. Rules of inference for higher order lope. These rules contain not only the eight basic rules 
of inference from higher order logic, but also a large body of derived inference rules that 
allow proofs to proceed using larger steps. The HOL system has rules that implement the 
standard introduction and elimination rules for Predicate Calculus as well as specialized rules 

for rewriting terms. 
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e. A collection of tactics. Examples of tactics include: REWRITE JTAC which rewrites a goal ac- 
cording to some previously proven theorem or definition; GEI JAC which removes unnecessary 
universally quantified variables from the front of terms; and EQJTAC which says that to show 
two things are equivalent, we should show that they imply each other. 

d. A proof management system that keeps track of the state of an interactive proof session. 

e. A metalanguage, ML, for programming and extending the theorem prover. Using the metalan- 
guage, tactics be put together to form more powerful tactics, new tactics can be written, 
and theorems fan be aggregated to form new theories for later use. The metalanguage makes 
the verification system extremely flexible. 

1.8 DEVICE SPECIFICATION 

Circuits and devices are described in HOL using a mixture of functions and predicates. Universally 
quantified variables are used to specify input and output device lines while internal device lines 
are existentially quantified. The specifications are generally defined to model a state transition 
system. A specification defines the state and environment at time t+1, as a function of the state 
and environment at time t. 

1.7 ADDITIONAL NOTATION 

In the text, various fonts will be used to denote constants, definition names and object types. The 
turnstile symbol H, is used to indicate that the term is a theorem which has been formally proven 
in the logic. When the subscript “def” is present (eg h^y), the theorem is simply a definition. 
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2.0 AUXILIARY THEORIES 


An MMU will receive as input both boolean control signals and word values. The word values 
axe abstractly viewed as addresses into memory, but take the concrete form of an array of boolean 
values or bits. This sequence of bits will be referred to as a “bit Vector”. To support the verification 
of the MMUs, a theory defining how bitVectors can be ordered was constructed. 

A theory describing a device that compares bitVectors was also constructed. The device accepts 
two bitVectors and returns a result indicating whether the first bit Vector is greater than, less than 
or equal to the second bit Vector. 


2.1 BITVECTORS 

BitVectors are represented by the type :num-»bool, but are constrained to be a finite length. 
BitVectors are functions that, when applied to a number, return the bit at that offset. Given a 
bitVector B with length n+1, the term B 0 returns the least significant bit value and the term B 
n returns the most significant bit value. 

The bitVector theory contains function definitions to compare bitVectors and to compare 
subsequences of bitVectors. The definitions are recursive so that they may apply to bitVectors of 
any length. Many of the functions expect the first argument to be the offset of the most significant 

bit (msb) of a bitVector. 

The auxiliary definitions ARB, ZEROS and ABS axe defined in the box below. ARB uses the Hilbert 
choice operator to return an arbitrary bit (boolean) value. ZEROS serves as a bitVector of F values. 
The curried function expects width and bit offset number arguments and returns F for any line 
within the width range and an arbitrary value of type bool otherwise. 

Signals are defined similarly to bitVectors. The concrete type is defined as :time-> bitVector (or 
:num-»num— ►hoof). However, it is convenient for signals to appear to be of type ;n um-* time-* bool. 
The function ABS reorders arguments so that abstract signals are implemented by a function in- 
volving bitVectors. 


ARB ■ ARB » c (x:bool) . P 

hj e f ZEROES t ■■(»<■ f) -» F I ARB 

hj e f ABS ( w:nxm ) (»ig:nu»— ►nu»— »bool) (t:nu») (n:nui) 
■ n <■ w — ► *ig n t I ARB 
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Definitions bvEQUAL, bvGREATER and bvLESS correspond to the numeric comparison functions: 
equal, greater than and less than. These definitions reflect a twos-complement interpretation of 
bitVectors where the least significant bit is bit 0. T is used for the bit value 1 and F for the 
bit value 0. The first argument specifies the most significant bit offset and is followed by two 
bitVectors. The definitions, being recursive, specify a base case (where the msb offset is zero), and 
the inductive case. Note that bvLESS is defined as a function of bvGREATER with the bitVector 
arguments reversed. 


\- dt , (bvEQUAL 0 » b « (i 0 ■ k 0) ) A 

(bvEQUAL (SUC n) a b « (bvEQUAL nab A (a (SUC n) - (b (SUC n))) )) 

\- dt] (bvGREATER Oab*(aO A ->b0)> A 
(bvGREATER (SUC n) a b - 

( (a (SUC n) A -< b(SUC n>) V 

((a(SUC ft) "b (SUC n)) A bvGREATER nab) 

)) 

b def bvLESS nab- bvGREATER n b a 


Comparison definitions, which only consider a contiguous section of a bitVector are also defined. 
bvPART constructs a bitVector given a range and a bitVector. Outside the range, the new bitVector 
returns F, while within the range, the new bitVector returns the old bit Vector’s corresponding 
value. Definitions bvEQbit is a shorthand to compare two bits. bvPartEQUAL, and bvPart GREATER, 
bvPartLESS compare contiguous sections of bitVectors; from a specified top bit down to a specified 
bottom bit. 


h de , bvPART Bax ftin (tig :nua— bool) (ninua) 

- (n > sax) — * F I (a < Bin) — * F I sig n 

h dt j bvEQbit x a b - (a x - (b (x:nua)) :bool) 

h dt , (bvPartEQUAL Oyab- 

( (, - 0) — (bvEQbit 0 a b) I F )) A 
(bvPartEQUAL (SUC x) y a b - 

((SUC x) > y — (bvEQbit (SUC x) a b A (bvPartEQUAL x y a b)) I 
((SUC x) - y) — * (bvEQbit (SUC x) a b) IF 

)) 

h dtJ (bvPart GREATER (SUC x) jab* 

( ((SUC x) > y) -* 

( ( a (SUC x) A -* b(SUC x) ) V 
((a(SUC x)-b(SUC x)) A bvPartGREATER x y a b) ) I 
((SUC x) - y) — (a(SUC x) A -< b(SUC x)) I F ) ) 

I - dtJ bvPartLESS x y a b - bvPartGREATER x y b a 
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2.2 GATES 


The devices are constructed from the gates described below. The gates inv, nor2 and nand2 are 
assumed to be primitive, and from these we construct and2_imp and or2-imp. 


\-j € j 1st in out ■ (out * -» in) 

K 4 t j nor2 a b out ■ (out ■ -» (e V b)) 

n*nd2 a b out ■ (out » -»( a A b)) 
and2.iap a b out ■ (3 p. nand2 a b p A in? p out) 

or 2. lap a b out * (3 p. nor2 a b p A inv p out) 


2.3 BITVECTOR COMPARISON UNITS 

Two bitVector comparison units are constructed. The first compare unit produces three boolean 
results indicating either a greater than, less than or equal relation between the two input bit Vectors, 
frequently all that is needed is a device that recognizes two bitVectors as equal. The second unit 
compares two bitVectors for equality as defined by the bitVector definition bvEQUAl. 

2.3.1 COMPLETE BITVECTOR COMPARISON UNIT 

The bitVector comparison unit takes two words as input and produces three boolean results indicat- 
ing whether the first was greater than, less than, or equal to the second bitVector. The specification 
and implementation definitions are constructed recursively. We begin by defining a specification 
bitCoup-spec, and implementation bit Comp -imp, for a device where the inputs (first, sac) are 
a single bit rather than a bitVector. The implementation is proved to be equivalent to the 
specification. Note the existentially quantified variables p and q are lines internal to the device. 


^dtf bitCo»p_spec first sec g 1 • ■ 

(g ■ ( first A -» sec)) A 
(1 ■ ( -i first A ssc)) A 
(e ■ ( first • sec )) 

bitConp.inp first sec g 1 e « 

3 p q . (in* first p) A (in* sec q) A 
(nor2 p sec g) A 
(nor 2 q first 1) A 
(nor 2 g 1 e) 

h bitConp.inp first sec g 1 e ■ bitConp.spec first sec g 1 e 
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Definitions for two-bit words can be constructed in a similar manner as shown below. The 
implementation compCoab-imp i6 proved to be equivalent to the specification compComb-spec. 


b d€ j coapCoftb.spftC gO gl 10 11 #0 «1 g 1 • ■ 

(g ■ (gl V (ftl A g0))> A 

(1 - (11 V («1 A 10))) A 

(ft * (ftl A ft0)> 

coapCoab.iap gO gl 10 11 «0 ftl g 1 • ■ 

3 p q. (ftnd2_iftp ftl gO p) A (or2_imp gl p g) A 
(ftnd2_iftp «1 10 q) A (or2_Up 11 q 1) A 
(ftnd2_i*p «1 «0 •) 

h coapCosb.ixp gO gl 10 11 «0 «1 g 1 ft * coftpComb.spftc gO gl 10 11 ftO ftl g 1 • 


Using the bit Vector comparison definitions and the bitComp specification and implementation, 
a compare unit for an arbitrary sized bit Vector is defined using recursive definitions and verified. 


f-g c / coap.tpftc & a b g 1 • • 

( g - ( brGREATER n ft b) ) A 
( 1 - ( bvLESS n ft b) ) A 
( • - ( bv EQUAL n ft b) ) 

h d€ j (comp.imp 0 i b gr U «q ■ (bitCo*p_i*p (a 0) (b 0) gr 1ft ftq)) A 
(cosp.iap (SUC n) ft b gr Is «q ■ 

3 ga la u gn lc en . 

(coap_i»p n ft b gn In ftn) A 

(bitCoftp.iftp (ft (SUC n)) (b (SUC n)) gft !■ ft») A 
(compCo»b_iftp gn gi Id li «n u gr Is ftq) ) 

h coap.iap nab graat lass ftqu » co»p_»p«c nab grant lftss ftqu 


An example of an implementation for bit Vectors of length three is in Figure 2.3-1. 


2.3.2 COMPARISON OF BITVECTOR EQUALITY 

frequently, the full power of the compare unit described above i6 not required. For example, for a 
device to recognize bus requests directed to it, the device need only compare for equality the bus 
address with a predefined address. Note that an equality comparison unit also requires many fewer 
gates. 

The equality comparison unit is defined in a manner similar to the full comparison unit. First, 
we construct a device that recognizes bit equality, and then we construct an equality unit for 
arbitrary sized bitVector inputs. Figure 2.3-2 shows an equality comparison unit for bit Vectors of 
length three. 
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b4tj bitEq_»p*c fir*t »«c * » 

(• » { first • mc )) 

bitEq.imp first ssc « * 

3 i j • Cnor2 first ssc i) A 
(*&d2_isp first ssc j) A 
(or2_i»p i j «) 

f- bit.iap first ssc s - bitEq.spsc first ssc « 


h^ e y co«pEq_spsc #ib« B (•■ ( bvEQUIL nab)) 

\- dtJ (coapEq.isp 0 I b sq » (bitEq.isp (a 0) (b 0) sq)) A 
(cospEq.i mp (SUC n) * b sq • 

3 « an . 

(coapEq.isp nab an) A 

(bitEq.inp (a (SUC n)) (b (SUC n)) an) A 

(and2_inp an an aq)) 

h co*pEq_isp n a b a • co*pEq_spsc n a b a 


2.4 REGISTERS 


Registers are used to store the 6tate of an MMU over time. This theory was implemented by Phil 
Windley and included in this report for the sake of completeness. 

Registers receive an input bit Vector, and clear and load control signals. A register’s output at 
time t-f 1 depends on it6 input control lines clr and Id at time t. The output remains unchanged 
if both control lines are F. If both lines are high, the register is cleared. A register implementation 
is constructed from primitive gates, and a formal proof shows the implementation is equivalent to 
the specification. 


I r«g_*pec * i Id dr out ■ 
(V t:nua . out(t+l) - (dr t 
A 

(oat 0 - ZEROES •) 


ZEROES * I Id t — i t I out t) ) 


\- it j (r«g_i»p 0 i Id dr out • d_ff (i 0) Id dr (out 0)) 

A 

(r«g_i*p (SUC n) i Id dr out » ((r.g.iap n i Id dr out) A 
(d_l< (i (SUC n)) Id dr (out (SUC n))))) 

j- r«g_iap * i Id dr out ” r.g_»p.c » (ABS w i) Id dr (ABS w out) 
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3.0 SIMPLE MEMORY MANAGEMENT UNITS 


3.1 PAGE CHECK TLM 


The page check TLM (translation look-aside module) is the simplest MMU. Protection is generally 
needed on a page or segment basis’ ; rarely on a word basis 1 . Memory addresses can be decomposed 
into a page and a page offset descriptor. The page check TLM acts only on the page descriptor. 

The device will either compare a received page descriptor 2 with another value previously stored 
in a register or 6tore a new value for future comparisons. When a comparison is performed, the unit 
returns T when the two values are the same. The device i6 expected to return a result one time 
epoch after receiving its inputs. The units are defined using the auxiliary definitions mentioned in 
the previous section and are correct for all bitVector widths. To isolate the timing dependencies, 
the specification is divided into two parts: pgCk and pgCk jpec. 

The definition pgCk jpec describes the timing details. The register and acknowledgment out- 
put values at t+ 1 are a function of the input values at time t. The function is specified by pgCk. 

The definition pgCk accepts a bitVector address, a write/compaxe command line and a register 
and returns a tuple containing the resultant register value and acknowledgment output. If the 
command line is T, the register is updated and the output acknowledgment is set to T (regardless 
of the comparison result). If the command line is F, indicating a comparison should be performed, 
the output acknowledgment is dependent on the result of the comparison. 

The implementation pgCk_imp is constructed by composing a register, a comparison unit and 
an OR gate (Fig. 3.1-1 3 ). The definitions show the use of the IBS function to allow signals to take 
arguments out of order. The implementation is shown to imply the specification. 


1 Bete a page is a contiguous block of memory words; each block being a fixed length. Segments are blocks of 
words bat all segments need not be of tbe same length. 

*Note that the concrete implementation of a page descriptor is a subsequence of a bitVector. 

*The reset box in the figure is set to F in the definition. 
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pgCk a addr*** writ* rgrtr " 

(writ* - T> -* (addr***, T) I 

(bvEQUAL a rgrtr addr***)-* (rg»tr, T) I (rg*tr, F) 

h-u pgCk_sp*c a addr rVC r*g ack “ 

V (tinaa). (r«g(t+l>, ack(t+l)) - pgCk a (addr t) (rWC t) (r*g t) 

t-jrf pgCk_i*p a addr rVC r*g ack “ 

V t. 3 g 1 *. 

(r*g_iap a addr rtfC bitFala* r*g ) A 

(coap.iap a (IBS a rag t) (IBS a addr t) g 1 •) A 

(or2_i»p* (rUC t) (ack (t+1)) ) 

h |gCk.iq) a addr rVC r*g ack ■■> pgCk_*p*c a (IBS a addr) rVC (IBS a r*g) ack 



Figure 8.1-1: Page Check TLM 

3.2 PAGE CHECK TLM WITH SUPERVISOR LINE 

The simple page check unit cannot guarantee that processes will not interfere with one another. 
Processes cannot be trusted to leave the page check unit’s register unmodified. The above unit 
faniwi t prevent a process from writing to the TLM uni t and altering the protection scheme intended 
by the operating system kernel. The enhanced unit receives input from a supervisor input line. 
Only when the supervisor line is high, can a write to the page check register occur. 

We assume that the CPU has two control 6tates: a supervisor state intended for operating 
system use and a user state for use by application processes. Generally, the supervisor line status 
is defined by a bit in the central processing unit’6 program status word (PSW). Microprocessors, 
designed for multiprocessing, restrict access to the PSW so that process status bits (including the 
supervisor bit) can be modified only when the system is executing in supervisor state. This scheme 
assumes that nonkernel tasks execute in user state. The supervisor bit can be extended into a 
process identifier field or a security ring field. 

The implementation requires one additional AND gate and an internal line. The proof is quite 
similar to the pgCk proof; it requires an additional case split to deal with the supervisor line. 
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pgCk».»p#c n xddr rWC »up r«g ack - 
V (t:nu»). (rag(t+l), ack(t+l)) ■ 

pgCk n (add r t) (rWC t A iup t) (rag t) 

b d€ j pgCka.iap n addr rWC iup rag ack - 
V t. 3 x g 1 a. 

(and 2. lap (rWC t) (aup t) (x t) ) A 

(rag. lap n addr x bitFalaa rag ) A 

(comp. lap n (IBS n rag t) (IBS & addr t) g 1 a) A 

(or 2. lap a (x t) (ack (t+l>) ) 

h pgCka.iap n addr rVC aup rag ack pgCka.apac n (IBS n addr ) rWC aup (ABS & rag) ack 



Figure S.2-1: Page Check TLM With Supervisor Line 
3.3 BASE AND BOUNDS MMU 

The base and bounds MMU (bb-MMU) extends the capabilities of the page check devices. This 
last “simple” MMU is actually much more sophisticated than the previous devices. While the page 
check units left unspecified how the device’s register is addressed, the bb-MMU provides a more 
complete interface to a system bus. The device expects inputs consisting of an address (in bit Vector 
form), a supervisor line, a read/write line and a data value. When a request i6 valid, the device 
asserts an acknowledgment signal. 

The bb-MMU is positioned between the CPU and memory and must recognize when bus 
requests are targeted to itself. The bb-MMU protection register is accessed as a memory location. 
When the supervisor line input is asserted (T) the bb-MMU will operate in supervisor mode. 

In supervisor mode, the bb-MMU compares a memory request’s bus address with a constant 
to determine whether the protection register is being accessed. If the address doe6 match and the 
read/write line is T, then the protection register value will be updated. Whether the protection 
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register is updated or not, the acknowledgment line will be asserted. 

In user mode, the bb-MMU decomposes the input address and register output into a segment 
and offset component. The bb-MMU verifies that the address segment matches the stored segment 
component (the base) and that the address offset is not greater than the stored offset (the bounds). 
The top bits (between n and s) of the address bit Vector represent the segment identifier. 

The specification is divided into parts to distinguish the supervisor and user mode behaviors. 
The specification b&seBoundCk-spec is only valid when the segment offset 6ize s is less than the 
bit Vector size n. Note that the data and address bitVector sizes are implicitly defined to be the 
same length. The specification defines the resulting state as a tuple consisting of the protection 
register value and the acknowledgment line value. When the supervisor line is high, bbSUPERV 
defines the result state, otherwise, bbCOMP defines the result 6tate. 

The parameter ADDR represents an unspecified constant denoting the address of the protection 
register. 


\- it t bbSUPERV s bbRag ad dr data ADDR n - 

( rw — ( (bwEQUAL n addr ADDR) — (data, T:bool) 1 
I (bbRag, T) ) 

(bbRag, T)> 

\~ 4 t j bbCOMP n ft bbR«g addr - 

(bvEQUAL n (bYPART n s bbR«g) (bYPART n • addr) A 
-* (bbRag, T:bool) 1 (bbRag, F) 

-(brCREATER a addr bbRag) ) 

\- uj bblextStat* n a bbRag addr data ADDR aupar rw - 
( aupar — bbSUPERV & bbRag addr data ADDR rw | 
I bbCOMP n a bbRag addr ) 


h dt} baaaBoundCk_apac n a bbRag addr data ADDR aupar rw ack ■ 

(i<a)a Vt. ( bbRag(t+l) ,ack(t+l) ) - 

bblaxtStata n a (bbRag t) (addr t) (data t) ADDR (aupar t) (rw t) 


The implementation is defined using primitive gates, as well as the register and full comparison 
unit described previously. A more efficient implementation would use the equality comparison unit. 
The abstract function PRT is used to split off a subsection of a bitVector. 
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\- dti PRT « b&x Bin (•ig:num->nuB->bool) (t:nuB> (n:nuB> 

■ (n > max) — ► F I 
(n < min) — ► F I 
(n <- a) — > (aig n t) I ARB 

baaaBoundCk_i*p n a bbRag addr <Uti ADDR aupar rt ack - 
(« < n) =► V t. 

(3 vritaBB gO gl g2 10 11 12 a2 x addrIUtch goodSag goodOfa ok. 
(rag. if n data aritaBB bitFalaa bbRag) A 
(coap.ixp n UBS n addr t) ADDR gO 10 (addr Hatch t)) A 
(and2_i*p (ra t) (aupar t) (x t)) A 
(and 2 I lap (addrHatch t) (x t) (aritaBB t)) A 
(coap.iap n (PRT n n » bbRag t) 

(PRT n n a addr t) gl 11 goodSag) A 
(comp. lap a (ABS n addr t) 

(ABS n bbRag t) g2 12 a2) A 
(in* g2 goodOfa) A 
(and2.iap goodOfa goodSag ok) A 
(or2.iap ok (anpar t) (ack (t+1)) ) 



Figure J.J-i; Bose end Bounds MM U 


The proof is substantially more complicated than the proofs for the page check units. In the 
process of verifying that the implementation implies the specification, several intermediate lemmas 
are useful. While they are all seemingly obvious, HOL requires a proof for each. 
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Ltaaa 0 

I- (a < a) (PUT b n i tig t) ■ (bvPART n a(ABS n aig t) ) 

t^mmM 1 

h (bvEQUAL a (bvPART a a(ABS b bblUg t) ) (bvPART a a (ABS a addr t)) A 
-i bvGREATER a(ABS a addr t)(ABS a bbRag t)) - 
(-i bvGREATER a (IBS a addr tHABS a bbRag t)) A 
(bvEQUAL a(bvPART a aCABS a bbRag t)) (bvPART a aCABS a addr t))) 

Ltat 2 

t- (a > 0 ) (SUC (PRE a) -1) ♦ 1 ■ (SUC(PRE a)) 

Laaaa 3 

h (a:nua) . (a > 0 ) * (SUC (PRE a)) - a 


Proving the final theorem required 492.7 seconds of CPU time and generated 31,227 intermediate 
theorems. 


h baaaBouadCk.iap a a bbRag addr data ADDR aupar rw ack **• 

baaaBouadCk_spac a a (ABS a bbRag) (ABS a addr) (ABS a data) ADDR aupar rw ack 

Proper management of the register’s contents ensures that a process can only modify a specified 
address space. Although very simple, a set of these devices composed together would be sufficient 
to satisfy a system’s security need to enforce process noninterference. While the use of multiple 
devices is not strictly necessary, a system with several devices might considerably reduce operating 
system overhead. 


22 




4.0 VIRTUAL ADDRESS TRANSLATION MMU 


The MMU is programmed through two memory-mapped control registers: 

a. A protection register governs the range of valid virtual memory addresses a process may 
&cces6. 

b. A tr ansla te address register designates the base real address accessible in memory. 

Processes cannot be trusted on their own to leave the unit’s registers unmodified. Only when 
the supervisor line is high will the unit permit a register write. This ensures that the security 
protection scheme intended by the operating system kernel cannot be altered intentionally or un- 
intentionally by user processes. This scheme assumes that nonkernel tasks execute in user state. 
The supervisor bit can be extended into a process identifier field or a security ring field. 

The protection register and virtual addresses are partitioned into a segment and an offset . 
A request is validated if the segment address matches the stored segment component and the 
offset is less than or equal to the stored bounds component. When a request is validated, the 
MMU constructs a real address using the offset of the requested address and the translate address 
register. When the supervisor line is asserted, all accesses are authorized and address translation 

is not performed. 

4.1 SPECIFICATION 

The abstraction functions PRT and PRTA are used to split off a subsection of a bit Vector 5 . The 
function definition VtoR, creates a real address by replacing the segment identifier with the real 
base offset; the bottom s bits of the virtual address remain unchanged. 

^del PRT a mix ain (»ig:nua— ►nu*— ►bool) (t:nua) (n:nua) * 

(n > auc) — ► F I 
(n < a in) — * F I 
(n <* a) —► (aig n t) I ARB 

bdtf PRTA vuzik (aiginua— bool) (n:nua) » 

J (n > aax) - F I 
(n < ain) — * F I 
<n <» a) -> (aig n) l ARB 

VtoR raalA airtA a n » (n > a) -* (raalA n) :b ool I (airtA n) ___ 

«Hck * page i* a contiguous block of memory word*; each block being a *xed length. Segment* are block* of 

word* bnt all *egment* need not be of the *ame length. 

‘Pleaae *ee the appendix for a description of bit Vector* and many of the device building block*. 
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The specification virtBBCkjpec is defined as a state transition system. The specification 
defines the 6tate and environment at time 1 , as a function of the state and environment at time 

t . The state is maintained in variables (bbReg, vaReg). The input environment consists of the 
address bus value, data bus value, and control bus signals (addr, data, super, rw). The output 
environment consists of a request validation line and a real address (ack, outAddr). The functions 
vSUPERV and vCOMP define the supervisor and user mode behaviors, respectively. The parameters 
n, s and ADDR serve as constants defining the most significant bit Vector bit, the mo6t significant 
address offset bit and the base address of the MMU registers. The size of the bitVectors must be 
greater than the segment offset for the specification to be meaningful. 


vSUPERV n bbRag vaRag addr data ADDR rv - 
< (rv A (bvEQUAL n (bvPART n 1 addr) (bvPART n 1 ADDR) )) 

-* (addr 0) — ► (data, vaRag, addr, T:bool) I 

(bbRag, data, addr, Ttbool) I 
(bbRag, vaRag, addr, T) ) 

VtoR raalA virtA a n - (n > a) — (raalA n):bool I (virtA n) 

h 4t j tCOHP n a bbRag vaRag addr ■ 

(bvEQUAL n (bvPART n a bbRag) (bvPART n a addr) A 
- (bvGREATER a addr bbRag) ) 

— (bbRag, vaRag, (VtoR vaRag addr a), Ttbool) I 
(bbRag, vaRag, addr, F) 

*~d«/ vlaxtStata n a bbRag vaRag addr data ADDR aupar rv - 
aupar —* vSUPERV n bbRag vaRag addr data ADDR rv I 
vCOKP n a bbRag vaRag addr 

\- 4t j virtBBCk.spac n a bbRag vaRag addr data ADDR aupar rv ack outAddr ■ 
(a < n) => 

V t. ( bbReg(t+l) , vaRag (t+1) , outAddr(t+l) , ack(t+l) ) ■ 
vlaxtStata n a (bbRag t) (vaRag t) (addr t) (data t) 

ADDR (aupar t) (rv t) 


4.2 IMPLEMENTATION 


The implementation virtBBCk-imp i6 defined using primitive gates, registers and the full comparison 
unit described previously. A more efficient implementation would use an equality comparison unit. 
The function pick-imp defines a bit Vector MUX. The datapath can be seen in Figure 4.2-1. 
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h de j pick.iap (wordA :au»->bool) (wordB :nua->bool) (which: bool) rta 
- (which - T) -» (raa - word!) I (raa - wordB) 

wirtBBCk.iap a a 1DDR bbRag waRag addr data aupar rw ack out Addr- 
(» < n) V t. 

(3 wBB wVA aalact x aMO aMl aH2 goodSag goodOfa ok aok nxlat g 1 
(and2.iap (rw t) (aupar t) (x t)) A 

(coapEq.iap n (PRT a n 1 addr t> (PRTA n a 1 ADDR) (aMO t)) A 

(and2_iap (aMO t) (x t) (aMl t)) A 

(law (addr 0 t) (aM2 t) ) A 

(and2.iap (aMl t) (addr 0 t) (wBB t)) A 

(and2_imp (aMl t) (aM2 t) (wVA t)) A 

(rag. imp n data wBB bitFalaa bbRag) A 

(rag. lap a data wVA bitFalaa vaRag) A 

( comp £q. lap a (PRT a a a bbRag t) 

(PRT a a a addr t) goodSag) A 
(coap.iap a (ABS a addr t) 

(ABS a bbRag t) g 1 a) A 
(law g goodOfa) A 
(and2.iap goodOfa goodSag ok) A 
(or2.iap ok (aupar t) (ack (t+1)) ) A 
(law ok aok ) A 
(or2.imp aok (aupar t) ml at) A 

(pick.iap (ABS a addr t) (ABS a waRag t) axlat (aalact t)) A 
( (outAddr (t+1))- (VtoR (aalact t) (ABS a addr t) a ) ) 



Figure 4.2-1: Base and Bounds MMU with Virtual Address TYanslation 


4.3 VERIFICATION 

Several simple intermediate lemmas were proven with the final theorem requiring 1,209 seconds of 
CPU time executing on a Sun SparcStation. The final proof generated 64,185 primitive inferences. 
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Luia 0 

(- PRT a n s sig t - bvPART n sCABS a sig t) 


K (bvEQUAL a (bvPART n sCABS n bbReg t)) (bvPART n sCABS n addr t)) A 
bvGREATER sCABS a addr t)(ABS n bbReg t)) - 
(-. bvGREATER sCABS n addr t) (IBS a bbReg t)) A 
(bvEqUAL aCbvPART n sCABS a bbReg t)) (bvPART n sCABS a add r t))> 

Uw 2 

h VtoR a a a ■ a 
Una 3 

h PRTA & & i aig ■ bTPART & a aig 
Una 4 

I- addr 0 t » IBS n addr t 0 


Several of these units could be combined to provide sufficient hardware support for a segmented 
and paged memory. This design also supports multiple process requirements assuming the top bits 
of an address specify a process identifier. 


I- virtBBCk.isp n ■ ADDR bbReg vaReg addr data super rs ack outAddr => 
virtBBCk_ap«c a • ADDR (ABS n bbReg) (ABS n vaReg) CABS a addr) 
CABS a data) super r» ack outAddr 
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6.0 MEMORY-RESIDENT TABLE MMU 


This MMU provides protection and address translation on a segment basis. These functions 
axe only In effect when the MMU operates in user mode. When operating in supervisor mode, 
the memory protection mechanism is inactive and requests axe passed through without address 

translation. 

Addresses consist of a segment identifier and a segment offset. The segment identifier is 
used to fetch the segment descriptor. Segment descriptors are located in a memory-resident table 
and consist of two words. The first word specifies the segment size and read, write and execute 
permissions. The second word acts as a base address for the segment’s real location in memory. To 
translate from a virtual address to a real address, the MMU adds the segment offset to the segment 
base address. To support segment paging, the first word also contains a bit indicating whether the 
segment is presently in memory. If this bit is F, the operating system is free to use the second word 
as a disk offset or in any other fashion. 

The location of the table is determined by the MMU’s segment table pointer register. This 
register is accessible only in supervisor mode. The MMU assumes the table provides an entry for 
all possible segment descriptors. 

Q B"1 0 

4-— 

0: | Avail iRaad I Write I Execute I I Segment Size I 


1: | Real Offset I 


The MMU described here must fetch a descriptor from memory for each access. Initial work 
on a cache to speed up performance is discussed in a subsequent section. 

The previous units were constructed in a bottom up manner— from the gate level up. Using 
the verification of these units as a model, devices that compare one bit Vector with another in an 
arbitrary way could be specified and successfully verified. The device described in this section takes 
a top-down approach to the verification of a much more complicated device. The implementation 
level here is the electronic block level. We construct a generic theory describing an MMU where 
several functions are left abstract. 
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5.1 GENERIC THEORIES 


A generic theory consists of three parts: 

a. An abstract representation of the uninterpreted constants and types in the theory. The ab- 
stract representation contains a set of abstract operations and a set of abstract objects. The 
semantics of the abstract representation are unspecified. Inside the theory, we don’t know 
what the objects and operations mean. 

b. A list of theory obligation predicates defining relationships between members of the abstract 
representation. When a theory is instantiated, these predicates must be proven about the 
concrete representation. Within the theory, the obligations represent axiomatic knowledge. 
The abstract MMU theory doe6 not contain any theory obligations. 

c. A collection of abstract theorems about the representation. 

For a more complete description of abstract theories see (ref. 23). 

Using the abstract theory package, a set of selector functions can be created. When applied 
to an abstract representation, a selector function extracts the desired function. 

Instead of dealing with concrete data types such as bitVectors with a specific length, the 
abstract MMU works with data values of abstract types *worda , * address and *memory. The 
abstract representation provides a set of functions that manipulate these types. 

Previous device theories have considered the size of the segment identifier and segment offset 
fields within a bit Vector. The abstract representation ignores these details by providing functions 
that return the segment identifier or segment offset fields from an address (segld and segOfs, 
respectively). There is also a function segldshf , which returns the offset of a segment descriptor 
within the memory-resident segment table for a given address. Since descriptors require two words, 
the impl em entation of this function simply shifts the segment identifier to the left 1-bit position 
(e.g. , adds a trailing zero bit). 

The abstract functions availBit, raadBit, vritaBit and axecBit extract a bit value from 
an argument of type *wordn. These functions are applied to the first word of a segment descriptor. 

Several functions that operate on two-tuples are available. Given a pair of *wordn values, 
add returns a value of *wordn. Functions addrEq, of sLEq and validAccess replace the concrete 
comparison units used in previous units. 


28 


Additional abstract coercion functions are available to convert values between types. If the 
theory were instantiated, the concrete implementation of the abstract types would likely be the 
«»im (bit Vectors) and these functions would be unnecessary. 

Memory is also treated abstractly. The abstract representation provides a fetch function, and 
a transformation function 6 . 


mw.typa.abbraw (*RVE\ ":bool • bool • bool M );5 


lot wa.abs » n«w_*bfttract_roproMiitation 


[ 

(‘•agld*, 

CaagOfa* . 
(‘•Ogldftfcf*, 

1 X 

('awailBit* » 
(*raadBit\ 
(*vrit«Bit 4 » 
(‘axacBit 4 » 

X X 

(‘*dd\ 

X X 

( * addrEq 4 * 

( ‘of aLEq 4 » 
(‘w&lidAccaaa* • 

X Cotrcion functions 
(Wal 1 . 

( ‘wordn 4 , 

(‘addraaa 4 , 

X Haaory functions X 

(‘latch 4 , 

( * trans * , 

1 .* 
j * » 


w :(aaddrass •> awordn)” 

H :(*addraaa •> awordn)” 

":(aaddraaa -> awordn)” 

(awordn •> bool)" 

H : (awordn •> bool)” 

(awordn -> bool)” 

H : (awordn -> bool)” 

(awordn t awordn ->awordn) M 

H :(*addrass t aaddrass -> bool)” 
”:(*addrass t awordn -> bool)” 
(aaddrass # awordn • KVE •> bool)” 

X 

(awordn -> nun)” 

”:(nun-> awordn)” 

(awordn -> aaddrass)” 

”:(a**»ory • aaddrass) -> awordn” 

” ;a*«»ory -> aaaaory” 


lot nu_ty * abstract. type ‘nnu.abs 4 4 sagld 4 ;; 
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A type abbreviation RWE is also defined to be a three tuple of bit values. Selector functions 
rBIT, sBIT and eBIT access the first, second, and third bits, respectively. 


rBIT rwa * 

wBIT rwa • 




•BIT rwa - 


(FST rwa) 

(FST (SID rwa)) 
(SID (SID rwa)) 


5.2 SPECIFICATION 

The specification is decomposed into several rules and ignores timing details. The timing details 
are spelled out in the final correctness theorem. The state of the MMU specification is a three-tuple 
consisting of a boolean acknowledgment, a memory address and the table pointer register value. 

•This function ia included for future extensions 
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The definitions superMode and userMode describe the behavior of the MMU when operating 
in their respective modes. The definition legalAccess uses many of the abstract functions to 
fetch from memory the appropriate segment descriptor and compare it with the request’s access 
parameters. The definition vToR constructs a real address from a virtual address. 

The variable r in all definitions is the abstract representation. 


mu SPECIFIC1TI0I 

l«galAcc«»s r vAddr tblPtr n« iu ■ 
let a ■ (letch r)( iei , 

(address r)((add r) (segldshl r vAddr , tblPtr) )) in 
( (validAccess r) (vAddr ,*,rv«) A (olsLEq r) (vAddr,*)) 

vToR r vAddr tblPtr aea * 

let a • (letch r) (aea, (address r) 

((add r)( (vordn r 1), (add rXsegldshl r vAddr, tblPtr) ))) in 
(address r) ((add r) (segOls r vAddr, a)) 

snperHod« r vAddr rve tblPtrADDR tblPtr data aea ■ 

((vBIT rve) A (addrEq r (vAddr , tblPtr ADDR) ) ) 

—► ( T, vAddr, data ) I 
( T, vAddr, tblPtr ) 

t~4e/ aserflode r vAddr rve tblPtrADDR tblPtr data aea ■ 

( legalAccess r vAddr tblPtr rve aea 

-♦ ( T, (vToR r vAddr tblPtr aea), tblPtr ) I 
( F. vAddr, tblPtr ) ) 

hg,/ aau_spec r vAddr rve tblPtrADDR tblPtr data aea superv ■ 

(superv — > superMode r vAddr rve tblPtrADDR tblPtr data aea I 
userMode r vAddr rve tblPtrADDR tblPtr data aea ) 


5.3 IMPLEMENTATION 


The implementation is constructed from electronic-block model components. These are defined as 
specifications for the behavior of a gate-level implementation. Many of the devices specify their 
timing behavior as well. The building blocks consist of a security comparison unit, an address 
match unit, a memory fetch unit, an adder, registers, latches, muxes, and a control unit. Most of 
the device definitions are self-explanatory with the exception of the memory and the control unit. 
These two units will be described in greater detail. 

The system bus provides the following to the MMU: 


a. A request line. 

b. A supervisor state line. 

c. Read/write/execute request type lines. 

d. An address bus value. 
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e. A data bus value. 


h*/ wwcUnit.ftpwc r 4 b m ok ■ 

V t. ok (t+1) ■ /w 4 x\\ 

((wwlidiccw** r) ((« t),(b t),(rw t)) A (ofwLEq r) ((at),<bt))> 

^4tj oddUait.wpoc r a b c • V t:aiaa. c (t+1) ■ (add r ( (a t) # (b t) )> 




■mxUnit.sppc r i b out i ■ , 

V t:nua. (out (t+l>) - (w (t+l>) — addraaa r(b (t+1)) 


(a t) 


h 4t j ■nx3Unit_»p#c i b c out i ■ 
V t:nua. (out t) - (w t ■ 0) 


at I (i t ■ 1) -* b t let 


k- d4f aplitllnit.apoc r virt id ofs - 

V t:nua. ((id t) « (wwgldshf r) (virt t)) A 
((of a t) ■ (aagOfa r) (wirt t)) 


Ne/ 


latchUnit.apoc r i out Ctrl - , 

V t:nua. out (t+1) ■ Ctrl (t+1) -* out t I (i (t+D) 


H* e / rwgUnit.wpwc r i Id clr out ■ 

(V t:nua. out (t+1) ■ (clr t — • (wordn r 0 ) 
(out 0 - (wordn r 0) ) 


I Id t i t I out t) ) A 




•atchUnit.apwc r a b a ■ 

V (t :nua) . a(t+l) ■ ( wddrEq r (a t, b t) ) - * Tibool 


F M 




onwUnit.spwc r t 
bitFalsa t ■ F 


(wordn r) 1 


5.4 MEMORY 

The memory unit specification defines an interface to memory that i6 synchronous. If the request 
line nq is high at t, then at t+1, data will contain the requested memory value and the done line 
will be T. If there is no request at time f, then done at t+1 will be F. To construct an asynchronous 
version, this specification could be modified to state that given a request at time t, the next time 
done is T data will hold the requested value from memory. 

When composing the MMU with a cache, the synchronous specification will also change. If 
there is a cache hit, a value would be returned much sooner (perhaps an order of magnitude) than 
if main memory were to be accessed. 

The control unit and the final correctness statement do not rely on a synchronous memory 
unit specification. The proof could be easily modified to fit these other models. 
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l-dtj 


i«aoryUnit_sp«c r r«q add r data dona »•» ■ 

( (data 0 » vordn r 0) A (dona 0 ■ F) ) A 
Vt. ( (raq t) -♦ ( (data (t+1) - fatch r (■•* t, addr t) 
(dona (t+1) » T) ) I 
( (data (t+1) • aordn r 0) A 
(dona (t+1) * F) ) ) 


A 


5.5 CONTROL UNIT 

lb process each memory request, the control unit will pass through several phases. The unit is a 
docked device. At each dock tick the control unit may change its phase depending on the results 
computed by the other internal units and the MMU input from the system bus. 

The control unit inputs indude: 

a. The request line (reqln). 

b. The supervisor line (super). 

c. The request type (read/write/execute) lines (rwe). 

d. The address compare result line (match). 

e. The security unit result line (secOk). 

f. The memory fetch result line (fdone). 

The control unit output lines include: 

a. The MUXes that control the adder’s inputs (muxC). 

b. The adder output latch (1C). 

c. The MUX that controls the bus memory address lines (xlat). 

d. The register update lines (tmpC, tblC). 

e. The memory request line (rReq). 

f. The MMU done line (done). 

g. The MMU access acknowledgment line (ack). 

There are 6ix distinct phases; however, not all phases are executed for each request. Which 
phases are executed depends on the validity of the memory Tequest. Request evaluation begins 
with the control unit in phase 0 and completes when phase 0 is again reached. A valid request 
will require five phases with a delay of at least one time unit before a phase change. Most phases 
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require one clock cycle; however, memory requests for a segment descriptor may take several. The 
control unit will busy-wait until a memory fetch completes. 


bdtt controlUnit_ap*c r*qln aup*r rw* »»tch ••cOI ldon* 

1 auzC tmpC tblC 1C rfUq zlat don* ack phas* ■ 

((auzC O.tapC O.tblC 0,1C 0,rR*q O.xlat O.don* O.ack 0, phas* 0) 

(0 .F.F.F.P .F.F.F.O ) 

CV t . <auxC<t+l) ,tapC(t+l) ,tblC(t+l) ,lC(t+l) ,rR*q(t+l) ,xlat(t*l) ,doo*(t+l) , 
. t \ \ . ¥ if t t 1 r i d a r X 


) 


mck(t+l)*phase(t+l) ) » 


(phase t ■ 0) — ► 
(reqln t — ► 

(phase t ■ 1) — * 
(super t — ► 
((•BIT (rse t)) 


X 

X 

X 


t t 1 

a b a 

pit 


r x d i 
• 1 o c 
q t n k 


X 

X 

X 


A match t) — ► 


((phase t ■ 2) A 
((phase t » 3) A 
(secOK t - 

(phase t - 4) — * 
(phase t ■ 5) 


fdone t) 
fdone t) 


( 0, F,F,F* P.P.P»Ps 1) 

( 0. F*P*P» P»P*P*P* 0)) 


( 0, P,T,P, P,P.P»Ps 5) 

( 0. F t F,F, F,F*T»T ,0) 

( 2, T,F,T , TpTpPpFt 2)) 

( l f F # PpP, T.TpP.P, 3) 

( 0, F,F,F, P#T,F,F* 4) 

( 0, F f F,P, P*F,T,F, 0)) 

( 0, F,F»T t F,T,T,T, 0) 

( 0, F t P»Ff F,F*T,T ,0) 


(nuxC t.tapC t.tblC t,lC t, F ,*lat t.don* t.ack t.phaa* t)) 


The datapath definition describes the interconnection between all the units other than the 
control unit. The mmu-irrp joins the control unit with the data path. 


Data Path 

hj t f dataPath r rAddr rData rwe men tblPtrADDR tblPtr rAddr 

muxC tapC tblC 1C rReq xlat match secOK fdone - 
3 (muxl nux2 id ofs addOut data latOut :nun— ewordn) 
(secData :nun-**wordn) • 

(resUnit spec r TData tblC bitFalse tblPtr) 

A 

(r«gUnit_ap«c 

r data tmpC bitFalse secData) 

A 

(secUnit.spec 

r rAddr secData rre secOK) 

A 

(split Unit. spec 

r rAddr id ofs) 

A 

(nux3Unit.spec 

id ola (on«Unit_ap«c r) auzl auzC) 

A 

(mux 3 Un it. spa c 

tblPtr data latOut auz2 auzC) 

A 

(addUnit.spec 

r muxl mux 2 addOut) 

A 

(latchUnit.spec 

r addOut latOut 1C) 

A 

(mat chUnit. spec 

r rAddr tblPtrADDR match) 

A 

(nuxUnit.spec 

r rAddr latOut rAddr xlat) 

A 

(memory Unit .spec 

r rReq rAddr data fdone mem) 



hd . » tt_i*p r vAddr vData r»* auparv tblPtr tblPtrADDR r*qln 
1 riddr don* ack zlat a*a phaa* - 

3 (buzC :nua— nun) (tapC tblC 1C rR*q natch a*c0I ldon* snua— bool) . 
(controlUnit _ap*c r«qln auparv r»* natch **c0I ldon* 

■uzC tapC tblC 1C rR*q zlat don* ack phaa*) A 

(dataPath r riddr rData rr« a*a tblPtrADDR tblPtr rAddr 
auzC tape tblC 1C rR*q zlat aatch a«c0I ldon*) 
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Figure 5.5-2: Abstract MMU External Block Diagram 


















5.6 MEMORY MANAGEMENT EXECUTION CYCLE 


When the control unit is in phase 0, it will busy-wait for a request and then proceed to phase 
1. During phase 0, the address comparison unit (matchUnit-spac) can determine whether the 
bus address matches the MMU’s table pointer address. The result is put on the ®atch line. The 
split unit splitUnitjpec divides the address into its segment table offset and segment offset 

components. 

In phase 1, the supervisor line determines what the next phase will be. When the supervisor 
line is high, two results are possible. When the request is a write and the match line is T, the 
control unit will direct the table pointer register to store the value on the data bus. The control 
unit will set the next phase to 5. After one clock tick in phase 5, the acknowledge and done lines 
are asserted and the control unit returns to phase 0. This ensures the data bus value will remain 
constant while the register updates its store. If the request is not directed to the segment table 
pointer register, the done and acknowledge lines are asserted and the phase is set to 0. Smce the 
xlat line remains F, the original request is effectively passed on to memory without modification. 

During this time, the adder will compute the memory address of the segment descriptor using 
the shifted segment identifier and the segment table pointer (output from the MUXs). When the 
supervisor line is not high and the control unit is in phase 1, a memory fetch will be initiated using 
the adder output. The adder output latch control line is asserted to keep this value constant. The 
temporary register write control line (tmpC) will be asserted to capture the first word of the fetched 
segment descriptor. The control unit will move on to phase 2. 

The control unit will remain in phase 2 until the f done line is asserted indicating the memory 
fetch has completed. During this time, the adder will have incremented the address so that the 
second word of the segment descriptor can be fetched. The control unit will then move on to phase 

3. 

The control unit will also remain in phase 3 until the fdona line is asserted indicating the 
memory fetch has completed. If the security unit has asserted the aacOK line, phase 4 is entered. 
The delay provides sufficient time for the adder to create the real address from the second word of 
the segment descriptor (fetched word) and the segment offset. In phase 4, the xlat, dona and ack 
lines are asserted and the control unit returns to phase 0. 

If the security unit does not authorize the memory request, the control unit does not enter 
phase 4, but, instead, returns to phase 0 asserting the dona line, but not the ack line. 
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Note that the done line is asserted only when the MMU completes its execution cycle — and 
only for one clock cycle. 


5.7 VERIFICATION 


Several auxiliary definitions are used to express the final correctness statement. To relate the 
implementation to the specification, a temporal abstraction i6 constructed using the two predicates 
lext and First. The predicate First is true when its argument tis the first time that g is true. The 
predicate lext is true when tS is the next time after tl that g is true. The predicate stable jigs 
states that between tl and t2 the MMU inputs will remain constant. 


I -jcj First |t ■ (V p:tia«. p < t # ■> (j p» A (g t) 

\- u , lazt 8 <tl.t2) - <tt < t2) A 

(V t:tias . tl < t A t < t2 a* -> (g t)) A (g t2) 

stabla.sigs tl t2 Tiddr rws tblPtrlDDR data hi aupar - 
V t*. tl < t* A t’ < t2 => 

(aupar t* ■ aupar tl) A 
(rlddr t* ■ viddr tl) A 
(r»a t’ • rta tl) A 

(data t* " data tl) A 
(lU t’ » B«B tl) A 

(tblPtrlDDR t’ - tblPtrlDDR tl) 


The correctness theorem states that if the implementation is in phase 0 and a memory request 
is made, the implementation will respond c time steps later such that the state of the implemen- 
tations matches the state defined by the specification for a set of given MMU inputs. The inputs 
must remain stable until the MMU responds to a request. If a memory request is not made, the 
acknowledgment line remains F, the phase remains 0 and the MMU table pointer register remains 
unchanged. 


I- i_ iap r vAddr rDsta r*« >up«r tblPtr tblPtrlDDR r«qln riddr 
doM ack zlat pbasa => 

(V t. 

(phasa t " 0) =► 

(raqla t — * 

<3 c. laxt don*(t,t ♦ c) A (phaaa(t + c) - 0) A 
(atabla.aig* t(t ♦ c)Tiddr rta tblPtrlDDR »Data iu aupar => 
(mt_spac r (riddr t) (raa t) (tblPtrlDDR t) (tblPtr t) 
(vData t) (aaa t) (aupar t) ■ 
ack(t ♦ c) ,riddr(t c),tblPtr(t ♦ c)))) 

I ( (ack(t ♦ 1) » F) 

(phasa (t ♦ 1) ■ 0) — ► 

(tblPtr(t ♦ 1) ■ tblPtr t) ) 

)) 
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Table 5.7-1: Abstract MMU Verification Script Run-Times 


(/• * w W * . — 

File name 

Time (CPU sec.) 

Inferences 

mmu-abs 

85.4 

34 

mmujdef 

132.1 

50 

mmujiux 

81.6 

4,385 

ctrlUnit Jem 

2,850.0 

153,977 

mmu-prf 

2,665.5 

122,537 


5,814.6 

280,983 


The correctness theorem required 2,635.2 seconds of CPU time running on a SPARCStation 
with 16 Mbytes of memory. HOL generated 121,858 primitive inferences to prove the theorem. 
Many lemmas were proven to support the final MMU correctness result. The proof effort was 
organized into a hierarchy of theories as presented in Table 5.7-1. 


5.8 CONTROL UNIT LEMMAS 

Control unit lemmas proven included the following: 

a. Each phase was shown to be distinct. 

b. The control unit phase state can be only one of six possible values. 

c. Phase 0 can never follow phase 2. 

d. During phase 0, the 6tate of the MMU does not change. 

e. A theorem showing a correct expansion of the control unit definition. 
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Table 5.8-1: Ci 


Lemma 

Time (CPU sec.) 

Inferences 

PHASER-UNIQUE 

9.3 

1,004 

PHASE-l.UNIQUE 

10.5 

952 

PHASER-UNIQUE 

8.9 

917 

PHASER-UNIQUE 

9.1 

904 

PHASE.4.UNIQUE 

9.1 

913 

PHASER-UNIQUE 

10.6 

944 

SIX-PHASES.ONLY 

1,426.5 

72,872 

NOT-PHASE-2-THEN.O 

112.0 

6,820 

PHASE-OJDLE 

1,146.5 

65,672 

CTRL-UNIT.EXPAND 

35.5 

2,774 


2,850.0 

153,977 


While the phase unique lemmas were trivial to prove, the other lemmas required substantial 
effort. A table listing the lemmas, the required CPU time to verify them and the number of 
intermediate theorems generated is presented in Table 5.8-1. 
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6.0 CONCLUDING REMARKS 


Several enhan cements could be made to the abstract MMU. 

a. It would not be difficult to add a register that specified the number of valid entries in a 
segment table. The incoming segment id would be compared with thi6 new value. When the 
id is greater than the stored value, the MMU could generate a segment table fault. 

b. Another read-only status register could be added to indicate the type of fault that occurred. 

c. A p agin g unit could be modeled based on the segment table unit. The device would effectively 
be the same as the segmentation unit. The stored real address offset might serve as the page 
table pointer. 

d. Values were added together instead of being merged together, which is more common. 

e. A cache could be added (see section on register stacks). 

This research was intended to serve as a vehicle to investigate how we could reason about 
changes in a device under development. The compare units and the page check units demonstrate 
what changes to a proof are necessary for small device changes. What is of greater concern, however, 
is the construction of fire walls within a design; being able to recognize what effect a structural 
change would have and how to keep as much of an old proof as possible. The use of abstraction 
mint to satisfy these needs, as well as making proofs more tractable. 

It also seems apparent that a generic execution tactic could be constructed to ease the pain 
of performing symbolic execution by hand. This would greatly simplify one of the most arduous 
tasks in interactive proof verification using HOL. 

Abstract theories provide a mechanism to ignore many details that can be handled at lower 
levels of a design. For example, the abstract MMU focuses attention on the correctness of the 
control unit. Using the abstract theory package, abstract devices can be instantiated with verified 
gate level implementations of the abstracted functions. 

The abstraction mechanism also permits design changes without the need for a complete rever- 
ification effort. The correctness theorem for the abstract MMU is not dependent on the layout of 
the segment protection descriptor or the specific protection requirements. 

The basis for a secure hardware platform is a fully functional MMU. The MMU presented here 
serves as a model to verify a more sophisticated device, such as the hardware reference monitor 
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SIDEARM (ref. 24). 


The MMU6 verified provide sufficient hardware support for an operating Bystem kernel to 
ensure process isolation and virtual memory. The device designs can be simplified to define a 
paging unit. Future work will investigate the composition of segmentation and paging units. 

A register stack that implements a FIFO replacement strategy has also been verified. This 
is being enhanced to construct an MMU cache with other an LRU or LFU replacement strategy. 
Future work will investigate composing the MMU with the CPU and other chips to form a complete 
hardware base. 

«.l FUTURE WORK 

One of the group’s goals is to specify a set of chips that can work together as a system. The rela- 
tionships between an MMU, an interrupt controller, a DMA controller, a memory, coprocessor chips 
(floating point processor), and the CPU were examined and several potential system integration 
problems were uncovered. 

Further research will also examine how a set of processor specifications can be connected 
to create a system. A difficulty in composing independent processors occurs when they share 
state (e.g., memory, peripheral control registers). The proofs for each device make (legitimate) 
assumptions about the effects of device operations. These assumptions simplify the device proof 
but assume complete control over (now shared) state. We have defined some of the composition 
problems and are developing an interaction model based on a noninterference requirement. 
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APPENDIX A: 


BITVECTOR THEORY 


sytttB ‘r» bitVtctor.th 1 ;; 
Btv.thtory ■bitVtctor* ;; 


l«t ARB - inition 

('ARB * p "ARB ■ t (x;bool) . F");; 

l«t lymiFS « no.dtfinition 
(‘ZEROES* „ 

•*! (v:bub) (b:dub) . 

yrpnFJ? ib* (b <* w) *> F I ARB M );; 

lBt IBS * BBV.dtfinition 
CABS 1 , 

W ABS (v:xxub) (tig:nuB->miB->bool) (t:nun) (n:nu») 

■ &<•!*> tig & t t ARB");; 

l«t bYPART * ntf.dtl inition 
(‘bYPART 1 , 

"bYPART iu Bin (tig:nuB->bool) (n:nu») 

• (n > »*x) ■> F l 
(n < Bin) ■> F I 

tig n " ) *» * 

l*t bYEQbit * ntw.dtf iaition 
(‘bvEQbit _DEF* , 

"bvEQbit x t b ■ a x ■ (b (x:num)) :bool M 

i • • 

* • * 

l«t brEQOAL ■ aar.pr ia_rac.dat initioa 
( ‘ brEQUAL.DEF ' , 

"(brEQUAL 0 a b » (a 0 » (b 0):bool)) A 
(brEQUAL (SUC a) i b • (bvEQUAL a a b /\ (a (SUC a) » (b (SUC a))))) 

);; 

lat brGREATER ■ aar_pria_r«c_d«f iaitioa 
( ‘ br GREATER. DEF ' , 

" (brGREATER 0 a b - ( a 0 A *b 0 ) ) A 
(brGHEATER (SUC a) a b - 

( ( a (SUC n)/\*b(SUC a) ) \/ 

( (a(SUC a)-b(SUC a)) A brGREATER a a b) 

))" 

);: 

lat br LESS “ aaw.daf iaition 
(‘brLESS.DEF* , 

"bvLESS a a b » brGREATER a b t” 

/ » • 


lat brPartEQUAL - B»r.pria_r«c_d«f iaition 
(•brPartEUUAL_DEF‘ , 

"(brPartEQUAL Oyab- 

( (y * 0 ) ■> (brEQbit 0 a b) I F )) A 
(brPartEQUAL (SUC x) jab- 
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( 

((SUC x) > y) -> (bxEQbit (SUC x) a b A (bTPxrtEQUU. 171b)) I 
((SUC x) - y) •> (bvEQbit (SUC x) a b) IP 
) )" ):: 

l«t bvPartCREATER ■ n»w_pri»_r«c_d«f init ion 
( ‘ bTP*rtGREATER_DEF * , 

" (bvPvtGREATEft (SUC x) y a b - 

< 

((SUC x) > y) -> 

< ( »(SUC x)/\*b(SUC x) ) \/ 

((•(SUC x)-b(SUC x)> /\ bvPurtGREATER x y • b) ) I 
<(SUC x) ■ y) »> (»(SUC x)/\*b(SUC x)) I F 
) )" );; 

1 st bvPartLESS • iaition 

( < bTPartLESSJ>EF‘ , 

M bTP«rtLESS x y • b • brPirtGREATER 1 y b «" 

/ • * 

clo*«_th«ory () ; ; 
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APPENDIX B: COMPARISON UNITS 


load* ‘oist.ticjl 1 ;; 

ijitN 'm comparer.th';; 

nee.theory 'comparer';; 

■ap loadLparent ['gates'; 'bitVactor'] ; ; 

1st bitComp.spac - new.definition 
('bitComp.spac' , 

»• first sec g 1 a . bitComp.spac first sac g 1 a ■ 

(g ■ < first /\ "sac)) /\ 

(1 ■ ( “first A sac)) A 
(a » ( first ■ sac ))" 

/ » • 

1st bitConp.inp - nst.dsf inition 
( 4 bitConp.inp‘ , 

" | first ssc g 1 • . MtConp.inp first ssc g 1 • ■ 

? p q . (inr first p) /\ (in? ssc q) /\ 

<nor2 p ssc g) A 
(nor 2 q first 1) A 
(nor 2 g 1 s) " 

);; 

1st bitConp.corrsct - provs.thn 
(‘bitConp.corrsct 4 » 

**! first ssc g 1 s, 

bitConp.inp first ssc gls - bitConp.spsc first ssc g 1 •"* 
REWRITE.TAC t bitConp.inp; bitConp.spsc; nor 2; inv ] 

THE* REPEAT GEI.TAC 

THE* EXISTS.ELIH.TAC 

THE* REWRITE.TAC [DE.HGRGAI.THH] 

THE* REVRITE.TAC [SPECL ["ssc"; ,, *first M ] COIJ.ST K3 

THE* EQ.TAC 

THE* STRIP.TAC 

THE* ASH.REWRITE.TAC □ 

TUTS mp EVERY BOOL.CASES.TAC ["first :bool"; "ssc:bool"3 
THE* REVRITE.TAC □ 

);; 




bitConp.corrsct ■ 

!first ssc g 1 •. 

bitConp.imp first ssc gls* bitConp.spsc first ssc g 1 • 
Run tins: 35.5s 

Intermediate theorem* generated: 3470 


let compComb.spec ■ ne*_def inition 
< ' compComb.spec ' , 

»j go gl 10 11 eO *1 g 1 e . compComb.spec gO gl 10 11 eO el g 1 a » 
(g - (gl \/ (al A gO))) A 
(1 • (11 V (al A 10))) A 
(a - (al A eO))" 

);; 
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lat conpCoab.iap * nav.dafinition 
(‘coapConb.iap 4 , 

'*! gO gl 10 11 aO al g 1 a ♦ conpCoab.iap gO gl 10 11 aO al g 1 a » 

? p q . (and2.inp al gO p) A (or2.iap gl p g) A 
(and2.iap «1 10 q) A (or2.iap 11 q 1) A 
(and2.iap al aO •) " 

/m 

let coapCoab.corract • proaa.thn 
( 4 coapCoab.corract 1 , 

"! gO gl 10 11 «0 «1 g 1 a. conpCoab.iap gO gl 10 11 #0 #1 g 1 • ■ 

conpCoab.apac gO gl 10 11 «0 «1 g 1 
REVRXTE.TAC [ conpCoab.iap; conpCoab.apac; and2.corract; or2.corract] 
THE* REVRITE.TAC [ and2.apac; or2.apac ] 

THE* REPEAT GE*.TAC 
THE* EXISTS .ELIH.TAC 
THE* PURE.O* CE.REVRI TE.TA C 

[ SPECL [ ”(1 - 11 V il A 10) M ; "<g - gl V al A gO)” ] C0*J.STH3 
THE* PURE.ORCE.REVRITE.TAC [ SPECL [ M (a - aO /\ •1) H ] C0*J.STIfl 
THE* REVRITE.TAC [ C0*J.ASS0C 3 
);; 


x 

coapCoab.corract • 

I- $g0 gl 10 11 lO il g 1 ft. 

coapCoab.iap gO gl 10 11 #0 al g 1 a ■ 
conpCoab.apac gO gl 10 11 «0 il g 1 i 
Ron tina: 25.9a 

Intaraadiata thaorans ganaratad: 2385 


lat coap.apac • nav.daf inition 
(‘coap.apac* t 
M ! n a b g 1 a. 

coap.apac n a b g 1 a ■ 

< g - ( bvGREATER n a b) ) A 
( 1 - ( by LESS n a b) ) A 
( a * ( bvEQUAL nab) ) M 


lat coap.iap * now.pria.rnc.dat inition 
(‘coap.iap* , 

"(coap.iap 0 a b gr la aq ■ (bit Coap.iap (a 0) <b 0) gr la aq))A 
(coap.iap (SUC n) a b gr la aq » 

? ga la aa gn In an . 

(coap.iap n a b gn In an) A 

(bit Coap.iap (a (SUC n)) (b (SUC n)) ga la aa) A 
(coapConb.iap gn ga In la an aa gr la aq) 

)" 

);; 


lat coapara.corract ■ proTo.thn 
( * coapara.corract 4 * 

H lntb graat laaa aqu. 

coap.iap nab graat laaa aqu * coap.apac nab graat laaa aqu' 1 , 
XIDUCT.TAC 
THE* REPEAT GEI.TAC 
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THU REVRITE.TAC [conp.inp ; conp.opoc] 

THERL 

(X bui cut X 

REVRITE.TAC [bitConp.corroct ; bitConp.apoc ; 

bvGREATER.DEF ; bvLESS.DEF jbvEQUAL.DEF] 

THEI EQ.TAC THE! STRIP.TAC THE! ASH.REVRITE.TAC □ 

THE! PURE.OICE_REVRITE.TAC [ SPECL [ "*• 0" ] COIJ.STM] 

THEI REVRITE.TAC □ 

;X induction X 
REVRITE.TAC [conp.inp] 

THE! ASK.HEVRITE.TACO 

THEI REVRITE.TAC [bitCo^>_corroct;conpConb_corroct; 

eonp.npoc; bitConp.apoc; conpConb.apoc] 

THEI EIISTS.ELIH.TAC 

TIER REVRITE.TAC [bvGREATER.DEF ; bvLESS.DEF ; bvEQUAL_DEF] 

THEI EQ.TAC THE! STRIP.TAC THEI A SB. REVRITE.TAC □ 

THEI PURE.OICE_REVRITE.TAC [ SPECL [ "'a(SUC n)" ] COIJ.STH] 

THEI PUREloiCE.REVRITE_TAC [ SPECL [ "bvEQUAL »ib"] COIJ.STK] 
THEI REVRITE.TAC 0 THEI EQ.TAC THEI STRIP.TAC 
THEI ASM.REVRITE.TAC □ 

]);; 


compare .correct ■ 

I- !mb great less equ. 

conp.inp n n b groat lots oqu ■ conp.apoc nab groat loos oqu 
Run time: 163. 7 s 
Garbage collection tine: 97.6s 
Intermediate theorems generated: 13399 


let bitEq.epec ■ net.def inition 
(‘bitEq.spec 1 , 

*M firat sec e . bitEq.spec first sec e - 

(e ■ ( (first :bool) * sec ))" 

\ * • 

/ » * 

let bitEq.imp ■ new.def inition 
(‘bitEq.imp* , 

**! first sec e • bitEq.imp first sec e - 
? i j . (nor2 first sec i) /\ 

(and2.imp first sec j) A 
(or2.imp i j e) M 

V . 

/ « i 

let bitEq.correct - prove.thm 
(‘bitEq.correct * , 

"! first sec e. 

bitEq.imp first sec e * bitEq.spec first sec e", 

IEHRITE.TAC [ bitEq.imp; bitEq.spec; or2.correct; 

nor2; and2.correct ; inr; or2_spec; and2.*pec] 
THEI REPEAT GEI.TAC 
THEI EIISTS.ELIH.TAC 

THEI MAP .EVERY BOOL.CASES.TAC [’’first :bool H ; ”sec:bool"] 
THEI REVRITE.TAC □ 

)S5 


X — 
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bitEq_corrsct ■ 

I- Ifirst **c s. bitEq.isp first ssc • * bitEq.spsc first ssc • 
Run tins: 15.3s 

Intsrmsdiats thsorsms gsnsratsd: 1251 
X 


1st cospEq.spsc ■ nsv.dsf inition 
(‘cospEq.spsc*, 

"! n a b s. 

cospEq.spsc n s b s ■ 

( s - ( brEQUAL n s b) )" 

>;; 

1st cospEq. isp * nsi_pris.rsc.dsf inition 
( ‘cospEq.isp 4 , 

"(cospEq.isp 0 a b sq * (bitEq.isp (s 0) (b 0) sq))/\ 

(cospEq.isp (SUC n) s b sq ■ 

T u «n . 

(cospEq.isp mb sn) A 

(bitEq.isp (s (SUC n) ) (b (SUC n) ) s») A 

(and2_isp sn ss sq) 

> M 

);; 

1st cospEq. comet ■ prois.ths 
( 1 cospEq. corrsct * , 

" ! n s b s. cospEq.isp n s b s * cospEq.spsc nabs", 

IIDUCT.TAC 

THE! REPEAT CEI.TAC 

THEI ASM.REWUTE.TAC [cospEq. isp ; cospEq.spsc ; bvEQUAL.DEF ; and2. imp ; 

bitEq.corrsct ; bitEq.spsc; ini; nand2 ] 

THEI EIISTS.ELIPLTAC 

THEI PURE.DICE.REWRITE.TAC [ SPECL [ "bvEQUAL nab"] COIJ.SYJQ 
THE! REVRITE.TAC □ 

/ • » 

coapEq.corrsct ■ |- !n a b s. cospEq. isp nabs* cospEq.spsc nabs 
Run tins: 22.1s 

Intsrssdiats thsorsss gsnsrstsd: 1796 


closs.thsoryO;; 
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APPENDIX C: PAGECHECK UNITS 


mymtam ‘zb pgCk.th';; 
load! ‘axiat.tac.Bl*;; 
maa.tbaory 'pgCk*;; 

Bap load.parant [‘gat as‘ ; ‘bit Vactor 4 ; ‘comparar 1 ; ‘ragiat ar 1 ] ; ; 

lat bitFalaa ■ naw.dalinition 

(‘bitFalaa 4 • "!t . bitFalaa t - F") ; ; 


pgCk apacifiaa a (ragiatar/ack) pair lor a (n/addraaa/writaOp/ragiatar) 
input tupla 




lat pgCk ■ mav.daf inition 

(*pgCk‘ * 'Mrgatr addraaa write n. pgCk n addraaa write rgatr - 
((write * T) ■> (addraaa, T:bool) I 

(bvEQUAL n rgatr addraaa) *> (rgatr, T) I 

(rgatr, F) 

)" );; 

lat pgCk.apec * mav.daf inition 
(‘pgCk.apec 1 , 

"•(re g addr :num->num->bool) (rVC ack :num->bool) (n:num). 
pgCk.apec n addr rVC rag ack - 

!(t:num). (reg(t+l), ack(t+l)) - 
pgCk n (addr t) (rVC t) (rag t) M );; 

lat pgCk.imp ■ nev.def inition 
(‘pgCk.imp 1 , 

"■rag addr rVC n ack. pgCk.imp n addr rVC rag ack - 
!t . 

(?g 1 •• 

(rag_imp & addr rVC bitFalaa rag ) /\ 

(comp. imp n (IBS n rag t) (IBS n addr t) g 1 a) /\ 

(or2.imp a (rWC t) (ack (t+D) ) 

> M 

lat pgCk.corract ■ prova.thm 
(‘pgCk .corract * , 

"•rag addr rVC n ack . pgCk.iap n addr rWC rag ack — > 
pgCk.apac s (ABS n addr) rVC (ABS n rag) ack", 

REPEAT GEI.TAC 

THEI BEWRITE.TAC [ pgCk.iap; pgCk.apac; pgCk ] 

THEM BEWRITE.TAC [ coapara.corract; rag.eorraet ; or2_corract ] 
THEM BEWRITE.TAC [ rag_apac; coap.apac; or2_apac] 

THE! BEWRITE.TAC [ bitFalaa ] 

THEI EXISTS.ELIH.TAC 
THEM STRIP.TAC 
THEI GEI.TAC 

THEI ASH.CASES.TAC M (rWC t):bcol" 

THEI ASH.REWRI TE.T AC □ 

THEI ASH.CASES.TAC "(bvEQUAL n(ABS n rag t)(ABS n addr t)):bool" 
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TBEV 1SH.REVRTTE.TACD 

\ • . 

* » » 


X * — 10W add a aupanriaor liua— X 

lat pgCfca.apac ■ aaw.dafinition 
(‘pgGka.spac‘» 

"•(rag addr : nua- >nua->boo 1 ) (aup rVC ack :nua->bool) (n:nua). 
pgCka.apac n addr rVC aup rag ack ■ 
l(t:nua). (rag(t+l), ack(t+D) ■ 
pgCk n (addr t) (rVC t A aup t) (rag t) M );; 

lat pgCka.iap ■ aav.daf initios 
< ‘pgCka.iap 4 # 

"frag addr rVC aup n ack. pgCka.iap n addr rVC aup rag ack - 

ft. 

C? z g 1 a. 

<and2.iap (rVC t) (aup t) (z t) ) A 

(rag. imp n addr z bitFalaa rag ) A 

(coap.iap n (ABS n rag t) (ABS n addr t) g 1 a) A 

(or2.iap a (z t) (ack (t+l)> ) 

)" );; 

lat pgCfca.corract • proaa.tha 
( ‘pgCfca.corract 4 , 

"frag addr rVC aup n ack . pgCka.iap n addr rVC aup rag ack «■> 
pgCka_apac n (ABS n addr) rVC aup (ABS n rag) ack” v 
REPEAT GEI.TAC 

THE! OICE.REVRITE.TAC [ pgCka.iap; pgCka.apac ] 

THE! OICE.REVRITE.TAC [pgCk ] 

THE! OICE.REVRITE.TAC 

[ coapara.corract ; rag.corract ; or2_corract; and2.corract ] 
THE! OICE.REVRITE.TAC [ rag.apac; coap.apac; or2.apac; and2.apac] 
THE! REVRITE.TAC [ bitFalae ] 

THE! EIISTS.ELIH.TAC 
THE! REPEAT STRIP.TAC 

THEI POP.ASSUH ( \tha . STRIP.ASSUME.TAC (SPEC.ALL tha>) 

THE! ASSUH.LIST (\aal . REVRITE.TAC 

[(REVRITE.RULE tal 2 aal] (al 3 asl))]) 

THE! HAP.EYERT ASM.CASES.TAC [ "(rVC t):bool"; "(aup t):bool"] 
THEI ASSUH.LIST (\thl . ASSUHE.TAC (REVRITE.RULE [ 

(REVRITE.RULE [(al 1 thl); (al 2 thl)] (al 4 thl) ) 3 (al 5 thl) )) 
THE! ASH.RE VRITE.T AC □ 

THEI ASK.CASES.TAC ” (bvEQUAL n(ABS n rag t)(ABS n addr t));bool" 
THEI ASH. RE VRITE.T AC □ 

\ . . 

* * % 
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APPENDIX D: BASE AND BOUNDS CHECK UNIT 


ayatan *rm anu.th*;; 
loadf ‘axiat.tac.nl 4 ;; 
naw.thaory W;; 

map load.parant [‘gat#* 1 ; 4 bitVactor 4 ; 'compare* ; ‘ragiatar 4 ] ; ; 

lot bitFalaa - naw.dafinition 

(‘bitFalaa 4 » "!t . bitFalaa t - F M );; 

X 

baaaBotmd* HKU 
input: 

addr, offaat, data, auparwiaor atata, raad/writa raquaat, 
ADDR of regiatar 

a: dafinaa nunbar of bita da fining aagnant aiza 
output : 

ack 

intarnal atata: 

baaaBounda ragiatar 


lat bbSUPERV ■ naw.daf inition 
(‘bbSUPERV 4 , 

* ! (bbRag addr data :nua->bool) 

(ADDR :nua->bool) (rw:bool) (n:nua). 
bbSUPERV n bbRag addr data ADDR r* » 

( ra *> ( (bvEQUAL n addr IDDR) »> (data, T:bool) I (bbRag, T) )l 
(bbRag, T) > H );; 

lat bbCOKP ■ naw.daf inition 
( * bbCOKP 4 , 

M ! bbRag addr n a. 

bbCOKP n a bbRag addr - ^ . . 

( (bvEQUAL n (bvPART n a bbReg) (bvPART n a addr) A "(bvGREATER a addr bbRag) ) 

-> (bbRag, T:bool) I (bbRag, F) ) M ) ; ; 

lat bblaxtStata - naw.daf inition 
(‘bblaxtStata 1 , 

M ! (bbRag addr data :nu*->bool) 

(ADDR :nua->bool) (aupar rw ack :bool) (n a :nun). 
bblaxtStata n a bbRag addr data ADDR aupar rw » 

< aupar »> bbSUPERV n bbRag addr data ADDR rw I 
bbCOKP n a bbRag addr ) M ) ; ; 

lat baaaBoundCk.apac ■ naw.daf inition 
(‘baaaBoundCk.apac* , 

»j (bbRag addr data : nun- >nu»->bool) (ADDR :nun->bool) 

(aupar rw ack :nun~>bool) (n #:nua). 

baaaBoundCk.apac n a bbRag add r data ADDR aupar rw ack - 
(a < n) ■“> 

St. ( bbRag (t+1) ,ack(t+l) ) - 

bblaxtStata n a (bbRag t) (add r t) (data t) ADDR (aupar t> (rw t>">;; 
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l«t PBT » new.def initiom 
(‘PBT 4 , 

"PBT v max sin (eig:nun->xuia->bool) (t:nun) (n:nun) 

■ (n > max) •> F I 
(b < Bin) *> F I 

(n <■ «) ■> (tig n t) I ARB ");; 

let bBilomdClLiip * new.def ini t ion 
( *b— Bmmrtfk^iap 1 , 

N KMig«UrdtU :nu*->nna->bool) (ADDR :nun->bool) 

(nptr rw ack :nun->bool) (n a: nun). 
hmtfr mACk imp n s bbReg addr data ADDR super rw ick » 

(g < &) ■■» !t. 

CT writeBB §0 gl g2 10 11 12 e2 x addrKatch goodSeg goodOfs ok. 
(re g_inp n data writeBB bitFalsa bbReg) /\ 

(coap.inp n (ABS n addr t) ADDR gO 10 C addrKatch t ) ) /\ 
(and2_lap (rw t) (super t) (x t)) /\ 

(and2.i^> (addrKatch t) (x t) (writeBB t)) /\ 

(conp.h^ n (PRT n n a bbReg t) 

(PRT n s a addr t) gl 11 goodSeg) A 
(coap.i^p a (ABS n addr t) 

(ABS n bbReg t) g2 12 e2) A 
(inw g2 goodOfs) A 
(antULhy goodOla goodSeg ok) A 

(or2_iap ok (super t) (ack (t+D) ) 


* 


■prove some lean&a 



pirowe.thn 


"9 (a a t:ma) (sig:nun->nua“>bool) . (a < n) ■“> 
((PRT iii« 4 t) - (bwPART & a(ABS n aig t) ) )", 


IVDDCT.TAC 

THU REPEAT GEB.TAC 

THEB REVRITE.TAC [B0T.LESS.0] 

THE! STRIP.TAC 

THEB COIV.TAC (DEPTH.COR V FUI.EQ.COIV) 
THEB GEB.TAC 

THEB REVRITE.TAC [PRT; bwPART; ABS] 


■X 


let aanLannal - prowe.tha 

^"(bwEQUAL n (bwPART n a (ABS n bbReg t)) (bwPART n a (ABS n addr t)) A 
~fcvGREATER a (ABS n addr t)(ABS n bbReg t)) * 

CbwGREATER a (ABS n addr t) (ABS n bbReg t)) A 

(bwEQUAL n (bwPART n a (ABS n bbReg t)> (bwPART n a (ABS n addr t)))“, 
OICEJCTRITE.TAC [ 

SPEC "*bwCREATER a (ABS n addr t)(ABS n bbReg t)" COIJ.STK] 

THEB REFL.TAC 

/m 


ht nnLNu2 » proT«_thM 

/r, > 0 ) — > ( ((SUC (PEE n) -1) ♦ 1 ■ (SUC (PEE n>) )>", 

CEE.TAC 

THEE ASH.CASES.TAC "n>0" 

THEB ASK.BEVEITE.TAC □ 
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THE! REVRITE.TAC [SUC.SUB1] 

THEI REVRITE.TAC [nua.COIV "1"] 

THE! REVRITE.TAC [ADD.CLAUSES] 

#11 

let wmuL%mm*3 * prove.the 
Cwm* LOU3 1 , 

-I (n:nua) . (a > 0 ) — > < (SUC (PRE n)> - n )”, 

GEI.TAC 

THEI ASH.CASES.TAC "n>0" 

THEI ASH.REVRITE.TAC □ 

THE! REVRITE.TAC [PRE_SUB1;ADD1] 

THEI REVRITE.TAC [nua.COIV "l'l 
THEI POP_ASSUK(\tha. ASSUKE.TAC 

(REVRITE.RULE [tha] (SPECL ["n"; "0"] GREATER) )) 

THEI POP.ASSUK (\tha. ASSUKE.TAC 

(REVRITE.RULE [tha] (SPECL ["0"; "n"] LESS.EQ) )) 

THEI POP_ASSUK(\tha. REVRITE.TAC [ 

(REVRITE.RULE [tha] (SPECL [ M n";"(SUC 0)"3 SUB. ADD) )]) 

);; 


X- 


prove baseBoundCk. correct — 


■X 


let baseBoundCk.correct » prove.th* 

('baseBoundCk.correct* , 

(bbReg addr data :nu»->nu»->bool) (1DDR :mia->bool) 

(super rv ack :nu»->bool) (n s:nua). 

baseBoundCk.imp n s bbReg addr data ADDR super rv ack — > 
baseBoundCk.spec n s (ABS n bbReg) (ABS n addr ) (ABS a data) 
ADDR super rv ack" , 

REVRITE.TAC [baseBoundCk.imp; baseBoundCk.spec] 


THEI REPEAT GEI.TAC 

THEI ASH.CASES.TAC "(s < n) M 

THEI ASM.REVRITE.TAC □ 

THEI OICE.REVRITE.TAC [bblextState] 

THEI OICE.REVRITE.T AC [bbSUPERV; bbCOKP] 


THEI OICE.HEVRITE.TAC 

[and2. correct ; reg.correct; coapare.correct ; or2_correct; iuvj 
THEI OICE.REVRITE.TAC [and2_*p«c; or2_*pec; rtg.spac; coap.apac] 
THEI REVRITE.TAC [ bitF&lee ] 


THEI EIISTS.ELIK.TAC 
THEI REPEAT STRIP.TAC 

THEI POP_ASSUK(\tha. STRIP. ASSUKE.TAC (SPEC.ALL tha)) 

THEI HAP.EVERY ASK.CASES.TAC [ M (r» t):bool"; "(»up*r t):bool"] 
THEIL [ 

X 1/4 X 

ASK.CASES.TAC "bvEQUAL n(ABS n addr t)ADDR" 

THEI ASM.REVRITE.TAC □ 


;X 2/4 X 
ALL.TAC 

ASSUK.UST(\a»l. REVRITE.TAC [ (*1 1 a«l): (*1 2 aal)3 ) 
THEI ASSUK.LIST (\thl . ASSUKE.TAC (REVRITE.RULE [(*1 1 thl)] 
THEI ASSUkIlIST (Y thl • ASSUKE.TAC (REVRITE.RULE [(*1 3 thl)] 
THEI ASSUK LIST(\thl. ASSUKE.TAC 

(REVRITE.RULE [(al 1 thl)] (SPEC "t" (al S thl)) )) 

THEI ASSUK.LIST (Uhl. REVRITE.TAC [(#1 1 thl) ; (al 3 thl)] 


(•1 S thl) )) 
(•1 S thl) )) 

) 


;X 4/4 X 
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ALL.TAC 

3 1 cu«i 2 and 4 rui in X 
THE! REWRITE.TAC [mauLeaaal] 

THE! ASSUM.LIST ( \asl . REWRITE.TAC t (el 1 asl); (el 2 ul)] ) 

TEES ASSUH.LIST(\thl. ASSUME.TAC (REWRITE JUJLE [(el 1 thl)] (el 5 thl) )) 
THEM ASSUM.LIST (\t hi . ASSUME.TAC (REWRITE. RULE [(el 2 thl)] (el 5 thl) )) 
THE! AS SUM. LI ST (\thl . ASSUME.TAC 

(REWRITE.RULE [(el 1 thl)] (SPEC M t" (el 5 thl)) )) 

THEM ASSUM. LIST (Uhl. ASSUME.TAC 

(REWRITE JUJLE [(el 10 thl)] (SPECL [ M n M : M s"; M t M ] nuLeuaO) )) 

THEM ASSUM.LIST (\thl . ASSUME.TAC (REWRITE.RULE [(el 1 thl)] (el 4 thl) )) 
THEM ASM.CASES.TAC ”ack(t+l) :bool" 

THEM ASSUH.LIST (\thl . REWRITE. T AC [(el 1 thl) ; (el 4 thl); 

(MEWRITE.XULE [(el 1 thl)] (el 2 thl)) ] ) 


baseBoundCk .correct ■ 

I* 'bbReg addr date ADDR super rv eck n s. 

basebcundck_iap n s bbreg eddr date addr super rv eck *■> 

baaeboundck.spec 

n 

s 

(abe n bbreg) 

(abs d addr) 

(abs n data) 

addr 

super 

rv 

ack 

run time: 492.7s 

garbage collection time: 347.8s 

intermediate theorems generated: 31227 


APPENDIX E: 


VIRTUAL ADDRESS TRANSLATION UNIT 


i«t.l lag( ‘print.all.aubgoala* , falsa) ; ; 
systaa l xi aau.th*;; 
load! *axist. tac.nl* \ ; 
siv.tbiozy ‘mu';; 

Bap load.parant [*gataa* ; «bitYactor* ; ‘coaparar* ; *ragiatar *] ; ; 

lat bitFalaa » naw.daf inition 

( ‘bitFalaa* , M !t . bitFalaa t » F M );; 



baa a Bounds HKU with virtual addrasa translation 


lat tSUPERV - naw.dafinition 
(‘tSUPERV*, 

M ! (bbRag waRag addr data :nu»~>bool) 

(ADDR :nua->bool) (rwibool) (n:nu»). 
tSUPERV n bbRag vaRag addr data ADDR rw - 
( (rw /\ (bvEQUAL n (bwPART n 1 addr) (bwPART n 1 ADDR) )) 

-> (addr 0) *> (data, waRag, addr, T:bool) I 

(bbRag, data, addr, T:bool) I 
(bbRag, waRag, addr, T) )" );; 

lat VtoR - naw.dafinition 
( * VtoR* , 

*'VtoR raalA wirtA s n 

■ (n > ») ■> (raalA n):bool I 
(wirtA n) M );; 

lat wCQHP ■ naw.daf inition 
( * wCOHP 1 , 

M ! bbRag waRag addr n s. 
wCOMP n s bbRag waRag addr - 
( (bvEQUAL n (bvPART n a bbRag) (bvP ART n s addr) /\ 

•(bvGREATER s addr bbRag) ) 

»> (bbRag, waRag, (VtoR waRag addr e), T:bool) I 
(bbRag, waRag, addr, F))");; 

lat wlaxtStata - naw.daf inition 
(‘wlaxtStata*, 

"! (bbRag waRag addr data :nu*->bool) 

(ADDR :nu*->bool) (supar rw ack :bool) (n a :nua) . 
wlaxtStata n a bbRag waRag addr data ADDR aupar rw • 

( aupar -> tSUPERV n bbRag waRag addr data ADDR rw I 
wCOMP n a bbRag waRag addr )” );; 

lat virtBBCk.apac * naw.daf inition 
(*virtBBCk.spac* , 

hj (bbRag waRag addr data out Addr :nun->nu*->bool) (ADDR :nu«->bool) 
(aupar rw ack :nua->bool) (n s:nua). 

wirtBBCk.apac n a bbRag waRag addr data ADDR aupar rw ack outAddr- 
(a < n) »> 
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Jt. ( bbRag (t+1 ), waRag (t+1) f out Addr (t«-l)» ack(t+l) ) ■ 
wlaxtStata n a (bbRag t) (waRag t) (add r t) (data t) 

ADDR (aupar t) (rw t) M );s 

lat PRT ■ naw.daf inition 
(‘PRT 1 , 

n PRT « sax Bin (aig:nun“>num->bool) (t:num) (n:num) 

■ (n > mx) *> F l 
(n < min) ■> F I 

(n <- w) *> (aig n t) I ARB ");; 

lat PRTA » maw .definition 
(‘PRTA* » 

"PRTA « max min (aig:xmm->bool) (n:num) 

■ (n > max) *> F I 
(n < min) -> F I 

(n <■ w) ■> (aig n) I ARB ");; 

lat pick. imp - mav.daf inition 
(‘pick.imp* , 

♦•pick.imp (vordA :nnm->bool) (wordB :num->bool) (which:bool) raa 
» (which • T) »> (raa - wordA) I (raa - wordB)");; 

lat wirtBBCk.imp - nat.daf inition 
(‘wirtBBCk.imp‘ » 

H !(bbRag waRag addr data outAddr :num->num->bool) (ADDR :num->bool) 
(aupar rw ack :num->b©ol) (n a;num). 

wirtBBCk.imp n a bbRag waRag addr data ADDR aupar rw ack outAddr- 
(a < n) — > St. 

(? wBB wVA aalact x aHO aMl aH2 goodSag goodOfa ok nok nxlat g 1 a. 
(and2.imp (rw t) (aupar t) (x t)) /\ 

(compEq.imp n (PRT n n 1 addr t) (PRTA n n 1 ADDR) (aHO t)) /\ 
(and2_imp (aMO t) (x t) (aMl t)) /\ 

(inw (addr 0 t) (aM2 t) ) /\ 

(and2.imp (aMl t) (addr 0 t) (wBB t)) /\ 

(and2.imp (aMl t) (aM2 t) (wVA t)) /\ 

(rag.imp n data wBB bitFalaa bbRag) /\ 

(rag. imp n data wVI bitFalaa waRag) A 
(compEq.imp n (PRT n n a bbRag t) 

(PRT n n a addr t) goodSag) /\ 

(comp. imp • (ABS n addr t) 

(ABS n bbRag t) g 1 a) A 
(inw g goodOfa) A 
(and 2. imp goodOfa goodSag ok) A 

(or2.imp ok (aupar t) (ack (t+1)) ) A 
(inw ok nok ) /\ 

(or2.imp nok (aupar t) nxlat) A 

(pick.imp (ABS n addr t) (ABS n waRag t) nxlat (aalact t)) A 
( (outAddr (t+1))- (VtoR (aalact t) (ABS n addr t) • ) ) 


j — — -- — prowe aoma lammaa — — 

lat mmuLammaO ■ prowa.thm 
( 4 mmuLammaO ‘ , 

"!(n a t:num) (aig:num->num->bool) . 

(PRT nnaaigt)* (bvPART n a (ABS n aig t) )"» 
CQRV.TAC (DEPTH. C 01 V FU1.EQ.C0HV) 

THEI GEI.TAC 
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THE! REWRITE.TAC [PRT;byPART;ABS] 

\ a a 
/ I » 

l*t — uL—»at * prova.thB 
( 1 iKuLtlB&l * | 

"(bvEQUAL nCbyPiRT n «(ABS n bbfUg t))(bvPART n »(ABS n addr t)) /\ 
•bvCREATER *(ABS n addr t)(ABS n bbRag t)) ■ 

TbYGREATER sCABS n addr t)(ABS n bbRag t)) /\ 

(bvEQUAL nCbrPART n a (ABS n bbRag t))(bTPART n s(ABS & addr t))) M * 
01CE.IlEtfRITE.TAC [ 

SPEC M 'bvCREATER a (ABS n addr tXABS & bbRag t) M COIJ.STHJ 
THE! BEFL.TAC 
/ » • 

1st aauLaaaa2 - proaa.tha 
(‘*auLaaaa2' , 

"VtoR a a a » a", 

COIV.TAC (DEPTH.COWV FUI.EQ.COWV) 

THE*" REWRITE.TAC [VtoR] 

THEM GE1.TAC 

THE! B00L.CASES.TAC "n > •" 

THEI REWRITE.TAC □ 

in 

l«t bbuL«u& 3 - prova.tha 
(‘uuL«b>&3 ' , 

«i(u • :nu») (aig:nu»->bool) . (PRTA n a ■ aig) * (b»PART & a *ig) . 
COIV.TAC (DEPTH.COIV FUI.EQ.COWV) 

THEI REPEAT GEI.TAC 

THEI REWRITE.TAC [PRTA;bvPART] 

THEI ASH.CASES.TAC "(n’ > n)” 

THEI ASM.REWRITE.T A C □ 

THEI ASSUM_LIST(\aal. ASSUKE.TAC( 

REWRITE.RULE [ (SPECL ["n’";"n"] GREATER) ] U1 1 ul) )) 

THEI ASSUK.LIST (\ul . REWRITE.TAC [ 

REWRITE.RULE [ («1 1 aal) ] (SPECL ["n";"n”'] LESS.CASES) ]) 

);; 

lat uuL«ua4 ■ prora.tha 
( ‘ aauLe*»a4 ' , 

"addr 0 t ■ ABS n addr t 0", 

OICE.REWRITE.TAC [ABS] 

THEI OICE.REWRITE.TAC [SPECL["0";"n"] LESS.OR.EQ] 

THE! REWRITE.TAC [ 

REWRITE.RULE [SPEC "(0“n)" DISJ.STH] (SPECL [”n M ] LESS.O.CASES)] 

);: 

% ..--I. — — — - — prora corract — — — — — — X 

lot TirtBB.corract ■ proTa.tha 
(‘*irtBB_corr«ct ‘ , 

* j (bbRag raRag addr data out Addr :nua->nua->bool) (ADDR :mia->bool) 
(aupar rw ack :nua->bool) (n s:nu»). 

TirtBBCk.iap n a bbRag raRtg addr data ADDR aupar rw ack outAddr — > 
TirtBBCk.apac n a (ABS n bbRag) (ABS n vaRag) (ABS & addr) 

(ABS n data) ADDR aupar r» ack outAddr". 

REWRITE.TAC [rirtBBCk.iap; TirtBBCk.apac] 

THEI REPEAT GEI.TAC 

THEI ASH.CASES.TAC "(a < n)" 
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THEM ASH.REVRITE.TAC □ 

THE! ORCE.REVRITE.TiC MaxtStata] 

THE* 0HCE.REVR1TE.TAC [tSUPERV; tCOMP] 

THE! 01CE.REHRITE.TAC 

[and2.corract; rag_corraet; compara.corract ; 
coapEq.corract; or2_corract; inv] 

THE* OICE_REVRITE_TiC [and2_tpac; or2_spac; rag.spac; 

comp.apac; coapEq.spac; pick.imp] 

THE* REVRITE.TiC [ bitFalsa ] 

THE* EZISTS_ELIM_TiC 
THE* REPEAT STRIP.TAC 

THE* POP.ASSUM (\tha . ASSUME.TAC (SPEC.ALL tha)> 

THE* MAP.EVERT ASH.CASES.TAC ["(supar t):bool"; M (rw t):bo«l M ] 

THE* ASSUM_LIST(\asl. STRIP.ASSUME.TAC 

(REVRITE.RULE [(«1 1 asl);(al 2 asl)] (al 3 ul)» 

THE* POP.ASSUH.LIST (\asl . 

HiP.EVERT ASSUME.TAC (rat ( subtract asl[(al 12 asl)]))) 

THERL 

[ X 1/4 (supar t) <r» t) X 
ASSUH.LIST (\asl . 

REVRITE.TiC [(al 6 asl);(al 10 asl);(al 11 asl)] ) 

THE* ASH.CASES.TAC "bvEQUAL n(PRT n n 1 addr t) (PRTA & n 1 ADDR)” 

THFJ ASSUH.LIST (\thl. REVRITE.TiC [ REVRITE.RULE 
C(SPECL ["n";"l";"ADDR"] aauLaaaaS); 

(SPECL ["n"; "1" ; "t" ;"addr"] aauLaaaaO)] (al 1 thl) ]) 

THE* ASSUH.LIST(\thI. ASSUME.TAC 

(REVRITE.RULE CaBuLaaaa2; (al 2 thl)] (al 8 thl))) 

THEIL [ 

ASH.CASES.TAC "(addr 0 t):bool" 

THE* ASSUM.LIST(\thl. ASSUME.TAC (REVRITE.RULE 

[(REVRITE.RULE [(al 1 thl);(al 3 thl)] (al T thl) )] 

(SPEC "t” (al 5 thl)) )) 

THE* ASSUH.LIST (\asl . REVRITE.TiC 

[REVRITE.RULE [*auLaaB&4] (al 2 asl)] ) 

THE* ASSUM_LIST(\thl. ASSUME.TAC (REVRITE.RULE 

[(REVRITE.RULE [(al 2 thl);(al 4 thl)] (al 9 thl) )] 

(SPEC "t" (al 7 thl)) )) 

THE* ASSUM.LI ST ( \thl . REVRITE.TAC 

[PAIR.EQ; (al 1 thl); (al 2 thl); (al 4 thl)]) 

ASSUM_LIST(\thl. ASSUME.TAC (REVRITE.RULE 

[(REVRITE.RULE [(al 2 thl);(al 3 thl)] (al 7 thl) )] 

(SPEC "t" (al S thl)) )) 

T HFJ ASSUH.LIST (Uhl. ASSUME.TAC (REVRITE.RULE 

[(REVRITE.RULE [(al 3 thl);(al 4 thl)] (al 7 thl) )] 

(SPEC "t" (al 5 thl)) )) 

THE* ASSUH.LIST (Uhl. REVRITE.TAC 

[PAIR.EQ; (al 1 thl);(al 2 thl);(al 3 thl)]) 

] 

; X 2/4 supar t A *r» t X 
ASH.REVRITE.TAC [nuLana2] 

; X 3/4 "an par t A nr t X 

ALL.TAC 

; X 4/4 'aupar t A *rw t X 
ALL.TAC 

] 

T HFJ ASSUH.LIST (\asl. (REVRITE.TAC [ (al 10 asl); (al 11 asl); aauLaaaal; 
(REVRITE.RULE [(al 5 asl)] (SPEC "t" (al 3 asl))); 

(REVRITE.RULE [(al 4 asl)] (SPEC "t" (al 2 asl)))])) 
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THE! ASH.CiSES.TAC "CbvGREATER a(ABS n addr tKABS n bbRag t) /\ 
bvEQUAL n(PRT an* bbRag tXPRT n n * addr t))" 

THE! ASSUH_LlST<\aal. REWRITE.TAC [ REWRITE.RULE CaauLaaaaO] (al 1 «»1) J ) 
THE! ASSUH_LIST(\aal. REWRITE.TAC [ REWRITE.RULE [(*1 1 ul)] (#1 T aal>]> 
THE! ASSUH_LIST(\aal. REWRITE.TAC C aauL«ma»2; (REWRITE.RULE 
[REWRITE.RULE [(al 1 aal)] (•! 2 ul)] (•! 8 ol)) J > 




wirtBB.corroct ■ 

I- l bbRag waRag addr data outAddr ADDR aupar rt ack n a. 

TirtBBCk.i-p a a bbRag waRag addr data ADDR aupar rw ack outAddr -> 

wirtBBCk.apac 


(ABS n bbRag) 

(ABS a waRag) 

(ABS n addr) 

(ABS a data) 

ADDR 

aupar 

rw 

ack 

outAddr 

Ran tlaa: 1209.0a 

Gar bag a collaction tiaa: 734.6s 

Xataraadiata thaoram a ganaratad: 64185 


X 


doaa.thaoryO ; ; 


* 


work apaca 


l«t aauLaaaaO * prowa.tha 
( < aauLaaaaO < , 

H !(a a t:nua) (aig;nua->nua->bool) . (a < n) — > 
«PRT n a • aig t) - (bvPART a a(ABS n »ig t) ) )", 
IIDUCT.TAC 
THE! REPEAT GEI.TAC 
THEI REWRITE.TAC [I0T.LESS.0] 

THE! STRIP.TAC 

THEi COIV.TAC (DEPTB.COIV FU1.EQ.C0WV) 

THE! GEI.TAC 

THEI REWRITE.TAC [PRT ;bvPART; ABS] 

);> 

l#t BBuL*aaa3 ■ proT«_tha 
( ‘ aauL*u&3 ' . 

"Ka • :aaa) (aig:aua - >bool) . (» < ®) 

((PRT A a a a aig) ■ (b»PART a s aig) >". 

IIDUCT.TAC 

THEI REPEAT GEI.TAC 

THE! REWRITE.TAC [I0T.LESS.0] 

THEI STRIP.TAC 

THEI COIV.TAC (DEPTH.COIV FUI.EQ.COIV) 

THEI GEI.TAC 
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Mill 


REVRITE.TAC [PRTAjbvPART] 

ASH.CASES.TAC M (n* > (SUC a))" 

ASH.KEVRITE.TAC □ 

ASSUH_LIST(\*»1. ASSUME_TAC( 

:WRITE_EULE [ (SPECL [ m b’";"(SUC a)"] GREATER) ] («X 1 ul) )) 
ASSUH.LIST (\ul . REWRITE.TACt 
REV&ITE.RULE [ («1 1 ul) 1 (SPECL [ n (SUC a)"; n a M '3 LESS. CASES) ]) 


APPENDIX F: ABSTRACT MEMORY MANAGEMENT UNIT 


mmu.abs.ml 


Imt Library .Root ■ Vopo ch/dl /cograd/ a chubort /hoi /Library/* ; ; 


lot lib.dir.liat - 

tmap (concat Library .Root) 

[*gatos/*; 4 bita/* ; ‘words/* ;‘nuabora/* ; ‘docisal/*; *aaaoc/*]);; 


oot.soarch.patb (ooarch.pathO •[*.*; , 4 

4 /opoch/dl/cagrad/achubort/hol/tactics/ ; 

*/opoch/dl/c*grad/achubort/hol/*l/ 4 ; 
*/opoch/di/cagrad/schubort/bol/thoorioa/* ; 
‘/opoch/dl/cagrad/ochubort/hol/liap/wax/* ; 


3 

a lib.dir.liat);; 


loadl ( * aux.dof a .al * ) ; ; 

lyitu *r* /opoch/dl/cagrad/s chubort /ho 1/tho or ioa/ssu.abs . th* ; ; 

aov.thoory ‘sau.aba * ; ; 


load! ‘abstract*;; 


aow.typo.abbrow (*RVE\ ";bool#boolibool") ; ; 


lot oou.abo » aoa.abstract.roprooantation 

[ 

(‘sogld*, ";(*addroso -> •wordn)" 
(*sog01a* t " ; (•addrooo -> •aordn)" 
(*sogIdshf*» ";(*addrooo -> •iordn) M 


XX 

(‘availBit* » 
(*roadBit * » 
(*writoBit * , 
(*oxocBit* , 

X X 

( * add * , 


":(*¥ordn -> bool)" 

" :(*wordn •> bool)" 

":(*¥ordn -> bool)" 

";(*wordn -> bool)" 

":(*¥ordn f *¥ordn ->*¥ordn)" 


) 

) 

) 

) 

) 

) 

) 


); 


":(*addrooo # oaddroos -> bool)" )• 

*: (•addrooo • •aordn •> bool)" )• 

•* :<*addrooo • *¥ordn • RVE •> bool)" ); 
X Coarcion functions X 

(*¥ordn -> num)" 

(‘wordn* v M :(nus-> •wordn)" )i 

(*addrooa * 9 ":(*wordn -> •addrooo)" )* 

X Koaory functions X 

(*fotch*» ":(*sosory f *addrooo) -> •wordn" ); 

(‘trano* » "jososory -> •oosory" >! 

j » • 


X X 

C.ddrEq' , 
CofsLEq* . 
(‘▼alidicc.a' . 


l«t axu.tj » *b*tract_typ. ‘*.gld‘;; 

clM._th. 0 z 7 ( ) ; ; 
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mmujdef.ml 


lat Library .Root ■ Vapoch/dl/csgrad/achubart/hol/Library/ 4 ; ; 

lot lib.dir.liat - 

(aap (concat Library .Root) 

[*gatas/‘; ‘bits/ 4 ; ‘word*/* ; ‘nuabars/ 4 ; ‘daciaal/ 4 ; ‘assoc/*]);; 

aat.saarch.path (saarch^athO # [*.*; 

1 /apoch/dl/cagrad/achubart /hol/t act ics/ 1 ; 
*/apoch/dl/cagrad/achubart/hol/al/* ; 

* /apoch/dl/csgrad/schubart/hol/thaorias/ 1 
‘ /apoch/dl/cagrad/achubart /hol/liap/vax/ 1 

] 

t lib.dir.liat);; 

load* ( * aux.daf a *al * ) ; ; 

systaa ‘ra /apoch/dl/cagrad/achubart /hol/thaori aa/nu.daf . th 4 ; ; 
nav.thaory 4 aau.daf 4 i ; 
load 1 1 abstract 1 ;; 

map naw.parant [‘aau.aba 1 ; ‘ tiaa.abi ; ; 

lat rap.ty ■ abstract.typa ‘aau.abs 4 ‘sagld 4 ;; 

X 

typa definitions 


naw.typa.abbra? ( 1 RVE 4 » " :bool#boolibool M ) ; ; 

lat rBIT • nai.definition 

( 4 rBITVMr*e:RVE. rBIT raa - (FST rse) M );; 

lat «BIT » new.def inition 

( 4 aBIT 4 , M ! raa : RVE . *BIT ria - (FST (SID raa))");; 

lat aBIT • nea. del inition 

( 4 eBIT 4 !raa :RVE. aBIT raa - (SID (SID raa))”);; 

Sacurity bit auxiliary definitions 
Sagaant Daacriptor: 

n a-1 0 

+ 4 + . . . 

0: I Avail I Raad I Vrita I Ex acuta I I Sagaent Siza I 



1; | Raal Off sat I 

+_ —f 




MMU SPECIFICATIOI 
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■X 


l«t l«gilicc«u ■ nes.definition 

(‘legalAccess'. "Krse: EVE) sAddr tblPtr (r:*re p.ty) . 
legalAccess r vAddr tblPtr rse sea ■ 
let a ■ (fetch r)( aea, 

( address r)((»ddr) (segldshf r sAddr, tblPtr) )) in 
( (sal idle cess r> (sAddr, a, rse) A (ofsLEq r) (sAddr, a))" );; 

1st tToE * nes.definition 
(‘sTo*‘ , 

" f sAddr tblPtr aea (r: ‘rep.ty). sToR r vAddr tblPtr ■•» ■ 

1st s - (fstcb r) (sen, (eddress r) 

((add r)( (sordn r 1), (add rXsegldshf r sAddr .tblPtr) ))) in 
(address r) ((add r) (segOfs r sAddr, a)) ")»» 


let s iyer M ode ■ nes.definition 
(‘snperMode* , 

" j nt vAddr tblPtrADDR tblPtr data nes (r: ‘rep.ty) . 
snperMode r sAddr res tblPtrADDR tblPtr data sen • 

((vBIT rve) A (addrEq r (sAddr, tblPtrADDR)) ) 
b> ( T. sAddr , data ) I 

( T, vAddr, tblPtr )");; 

X 

let nserMode ■ nss.dsfinition 
(‘nserMode* , 

»! rss sAddr tblPtrADDR tblPtr data ass (r:* rep.ty). 
nserMode r sAddr rse tblPtrADDR tblPtr data sen - 
((sBIT rse) A (addrEq r (vAddr, tblPtrADDR) ) ) 
b> ( F : bool . sAddr, tblPtr ) I 

( legalAccess r sAddr tblPtr rse sen 
b> ( T, (sToR r sAddr tblPtr sen) , tblPtr ) I 

( F, sAddr, tblPtr ) )");; 

X 

let nserMode ■ nss.dsfinition 
(‘nserMode 1 , 

"! rse sAddr tblPtrADDR tblPtr data sen (r:*rep_ty). 
nserMode r sAddr rse tblPtrADDR tblPtr data sea * 

( legalAccess r sAddr tblPtr rse sen 

b> ( T, (vToR r sAddr tblPtr sea) , tblPtr ) I 

( F. sAddr, tblPtr ) )");; 


let nextState - nss.dsfinition 
(‘nextState* , 

x | supers sAddr tblPtrADDR tblPtr data ass (r: ‘rep.ty) . 
nextState r sAddr rse tblPtrADDR tblPtr data sea eupers- 
(snpers -> superMode r sAddr rse tblPtrADDR tblPtr data sea I 

nserMode r sAddr rse tblPtrADDR tblPtr data sen )" );; 

lit uu.bth ■ Btv.dtfiiution 
(‘■BU.bth*, 

M !reqln »up «rv vAddr tblPtrlDDR tblPtrln a«i data (r: rap.ty). 

aau.beh r reqln rse sAddr supers data aea tblPtrADDR tblPtrln - 
X (reqOut , rAddr , tblPtrOut ) • X 

reqln -> nextState r sAddr rse tblPtrADDR tblPtrln data aea supers I 
(F:bool, sAddr, tblPtrln)" )iS 
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lat nu.ipic ■ naw.daf isition 

"! rwa auparw wAddr tblPtrADDR tblPtr data bob (r:“rap.ty) . 

Bnu.apac r wAddr rwa tblPtrADDR tblPtr data bob auparr- 
( auparw *> auparModa r wAddr m tblPtrADDR tblPtr data Ban I 

uaarModa r wAddr rv« tblPtrADDR tblPtr data b«b )“ );; 


I 

KNU IKPLEMEITATIQI 


X 


lot aacUnit.apac - naw.daf isition 
( 4 aacUnit.apac 4 # 

"!a b ok (r:~rap.ty)(rwa:nun->RtfE) . aacUnit.apac r a b rwa ok ■ 
tt • ok (t+1) ■ 

((walidAccaaa r) ((a t),(b t),(rwa t)) A (olaLEq r) (Ca t),(b t))) N )ss 

lat addUnit.apac ■ naw.dafinition 

( 4 addUnit.apac * , M !(a b c :nua->awordn) (r:“rap.ty). 
addUnit.apac r a b c • !t:nun. c (t+1) * (add r ( (a t),(b t) )) M );; 

lat nuxUnit.apac * naw.daf isition 
( 4 nuxUnit.apac 4 , 

w ! (a out ;num->*addra*a) (b :nun->*wordn) (w :nu*->bool) (r:"rap.ty). 
nuxUnit.apac r a b out * ■ 

!t:nun. (out (t+D) ■ (w (t al>) ■> addraaa r(b (t+D) I (a t ) M ) ; ; 

lat nux3Unit.apac - naw.dafinition 
( 4 BUx3Unit_spac 4 * 

«!(ab c out :nun->*wordn) (w:miB->nun) . nux3Unit.apac a b c out w ■ 

!t:nua. (out t) ■ (• t ■ 0) ■> i t I (i t ■ 1) ■> b t let" );; 

lat aplitUnit.apac ■ naw.daf isition 
(‘aplitUnit.apac 4 , 

H !(r:*rap.ty) wirt id oft. aplitUnit.apac r wirt id ola ■ 

!t :sub. ((id t) - (aagldshf r) (wirt t)) A 
((ola t) - (aagOfa r) (wirt t)) 

lat latchUnit.apac » saw .definition 
( 4 latchUnit.apac 4 , 

H !(i out :nun->*wordn) (Ctrl : nun- >bool) (r :*rap_ty). 
latchUnit.apac r i out Ctrl » 

) t : sub . out (t+D * Ctrl (t+D ■> out t I (i (t+D) M );; 

lat ragUnit.apac * nav.daf initios 
(‘ragUnit.apac 4 , 

*i(i out :nun->*wordn) Id clr (r:‘rap.ty). ragUnit.apac r i Id clr out ■ 

( !t :sub. out (t+D - (clr t »> (words r 0 ) I Id t ■> i t I out t) ) A 
(out 0 » (words r 0) 

lat natchUnit.apac - na w. da f isition 
( 4 BatchUnit.apac 4 , 

m; (a b:nuB->«addraaa) (B:nua->bool) (r:*rap.ty). natchUnit.apac r a b a ■ 
t(t:nua) . n(t+D ■ ( addrEq r (a t» b t) ) Tibool I F")i » 

lat onaUnit.apac - naw.dafinition 

( 4 onaUnit.apac 4 , n !t:nua (r:*rap.ty). onaUnit.apac r t » (words r) 1");; 
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l«t bitFalse * new.delinition 

(‘bitFalse' , "!t:nun. bitFalse t ■ F");; 

l a t nenoryUnit.spec - new.def inition 
(‘nesory Unit .spec' , 

«treq addr data dona nan (r:*rep_ty). 
neaor yUnlt apac r raq addr data dona nan ■ 

C (data 0 ■ wordn r 0) A (dona 0 ■ F) ) A 
tt. ( (raq t) ■> ( (data (t+1) ■ latch r (nan t, addr t) ) A 
(dona (t+1) ■ T) ) I 
( (data (t+1) - wordn r 0) A 
(dona (t+1) » F) ) )");; 


A valid request will require 4 phaaas raquirad with a delay ol at laaat 1 
t iam unit occurs bstwssn phasss. 

0: (initial) -wait until rsqln- 

add (shift vaddr) , tblPtr into tmpRsg 
cospars vaddr, tblPtr ADDR (match) 

1: 

if supsrvisor sods 

if match and writs rsqusst -> stors dataln into tblPtr 
slss pass rsqusst thru (addr t data, rws) and ack 
goto Phass 0 

slss 

fstch msm (tmpRsg) 

add tmpRsg, 1 

2: -wait until fdons- 
fstch msm (tmpRsg* 1) 

3: -wait until fdone- 
if sscllnit pass 
add fstchsd valus, vaddr 
pass rsqusst thru (addr,data,rws) and ack 
slss 


1st controlUnit_spsc * nsw.dsf inition 

('controlUnit.spsc ‘ , "KmuxCphass :num->num) (rws: num->RVE) 

(tnpC tblC 1C xlat done ack rReq reqln auper natch secOX ldone:nun->bool) . 
controlUnit.spec reqln wuper rwe natch aecOI idone 

nuxC tnpC tblC 1C rReq xlat done ack phaae - 
((nuxC O.tnpC O.tblC 0,1C O.rReq O.xlat O.done O.ack 0, phaae 0) - 
(0 .F.F.F.F .F.F.F.O )> 

(nuxC (t+1) ,tnpC(t+l) ,tblC(t+l) ,lC(t+l) ,rReq(t+l) ,xlat(t+l) ,done(t+l) , 
ack (t+1) .phase (t+1) ) ■ XKttlrxdaPX 

XUnbaelocHX 
X X pit qtnk A X 


(phase t * 0) *> 
(reqln t “> 


( 0, F.F.F, F.F.F.F, 1) I 
( 0, F.F.F, F.F.F.F, 0)) I 


(phase t ■ 1) “> 

(super t ■> 

((wBIT (rwe t)) A natch t) -> 


( 0. F.T.F. F.F.F.F. 5) I 
( 0. F.F.F, F.F.T.T .0) I 
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((phase t • 2) A ldone t) ■> 
((phase t * 3) A ldone t) -> 
(secOX t *> 

(phase t » 4) ■> 

(phase t ■ 5) »> 

(auzC t,tapC t»tblC t ,1C t, F 


( 2, T,F,T, T,T,F,F, 2)) I 
( 1, F,F,F, T,T,F,F, 3) I 

( 0, F,F,F, F,T,F,F, 4) I 
( 0, F.F.F, F,F,T t F, 0)) I 
( 0, F,F,T # F,T,T,T, 0) I 
( 0, F, F,F, F,F,T,T f 0) I 
,zlat t,done t,ack t, phase t)) M );; 


let datapath ■ nev.delinition 
(* datapath* , 

**!(r:“rep.ty) (vAddr rAddr :nua->eaddress) (vData :nua->evordn) aes 
(ne :nua->RVE) mes (tblPtr :nua->*vordn) (tblPtrADDR :nua->e address) 
(buzC :nua->nua) (tapC tblC 1C rReq zlat match secOX ldone :nua->bool) 
dataPath r vAddr vData rve aes tblPtrADDR tblPtr rAddr 
suxC tapC tblC 1C rReq zlat match secOX ldone ■ 

?(auzl muz 2 id ols addOut data latOut :nua->«vordn) 

(secData :uua->*vordn) . 


(regUnit.spec 

r vData tblC bitFalse tblPtr) 

A 

(regUnit.spec 

r data tmpC bitFalse secData) 

A 

(secUnit.spec 

r vAddr secData rve secOX) 

A 

(split Unit. spec 

r vAddr id ofs) 

A 

(nuz3 Unit. spec 

id ols (oneUnit.spec r) auzl auzC) 

A 

(buz 3l7nit. spec 

tblPtr data lat Out auz2 auzC) 

A 

(addUnit.spec 

r auzl aux2 addOut) 

A 

(lat chUnit .spec 

r addOut latOut 1C) 

A 

(mat chUnit. spec 

r vAddr tblPtrADDR match) 

A 

(auxUnit.spec 

r vAddr latOut rAddr zlat) 

A 

(neaoryUn i t .spec 

r rReq rAddr data ldone aea) 

II ' 


let aau.ixp ■ nev.delinition 
(‘nau.iap* , 

w !(r:"rep_ty) (vAddr rAddr : nun- >• address) (vData :nua->*vordn) 

(rve :nua->RHE) (superv reqln zlat ack done :nua->bool) aea 
(tblPtr :&ua~>*vordn) (tblPtrADDR :nua->*address) (phase :nua->nua) . 
aau.iap r vAddr vData rve superv tblPtr tblPtrADDR reqln 
rAddr done ack zlat aea phase ■ 

?(auzC :nua->nua) (tapC tblC 1C rReq match secOX ldone :nua->bool) . 
(controlUnit.spec reqln superv rve natch secOX ldone 

auzC tapC tblC 1C rReq zlat done ack phase) A 

(datapath r vAddr vData rve aea tblPtrADDR tblPtr rAddr 

auzC tapC tblC 1C rReq zlat match secOX ldone) H );; 


dose.theoryO ; ; 
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mmuj&ux.ml 

l9t Library .Root - 4 /apocWdl/c»grad/*chubart/hol/Library/ 4 ; ; 


lot lib.dir.liat - 

(sap (concat Library .Root) 

[‘gat a*/ 4 ; 4 bit»/ 4 ; ‘words/ 4 ; 4 nuabara/ 4 ; ‘daciaal/ ; assoc/]);; 


M t.aaarch.path (saarch.path() 


• [ 4 . 4 ; 

4 /apoch/dl/csgrad/achubart/hol/tactics/ 4 ; 

4 /apoch/dl/cagrad/achubart/hol/al/ 4 ; 

4 /apoch/dl/csgrad/schubart/hol/thaorias/ 4 ; 
4 /apoch/dl/cagrad/achubart/hol/liap/wa*/ 4 ; 

] 

• lib.dir.liat) ; ; 


loadf (‘aux.daf a.al 4 ) ; ; 

systaa 4 ra /apoch/dl/csgrad/a<±ubart/hol/thaorias/aau.aux.th 4 ; ; 

aaw.thaory ‘aau.aux 4 ; ; 

Jaap load.paraut [‘aau.aba* ; ‘tiaa.abs 4 ; 4 aau.daf 4 ; ‘ctrlUmt.laa 4 ] ; ;X 
1 ; ‘waa.thas'] ; ; X 

maw.typa.abbrav ( 4 RVE 4 > M :bool#booltbool M ) ; ; 



1U1 FACTS 


lot PLUS.OIE.TAC n - 

REVRITE.TAC [(SYH.RULE 1DD1) ; (nua.COIV n) ; ADD. CLAUSES] ; ; 
lat T2 - prova.tha ( 4 T2 4 , " ! t . (t ♦ 1) ♦ 1 - t ♦ 2" , PLUS.OIE.TAC "2" );; 

lot T3 - prova.tha (‘T3\ "!t. (t ♦ 2) ♦ 1 ■ t ♦ 3 M , PLUS.OIE.TAC M 3" );; 

lat T4 - prova.tha ('T4 4 , "!t. (t + 3) + 1 • t + 4", PLUS.OIE.TAC "4" );; 

lat T5 • prova.tha ( 4 T5\ "!t. (t ♦ 4) + 1 • t ♦ 5", PLUS.OIE.TAC M 5 M );; 

lat T6 - prova.tha C‘T6‘, "!t. (t ♦ S) ♦ 1 > t ♦ 6 M , PLUS.OIE.TAC "6” );; 

lat T7 - prova.tha ( 4 T7 4 , "ft. <t ♦ 6) ♦ 1 ■ t ♦ 7", PLUS.OIE.TAC "7 M );; 


l«t LESS.ADD.SUC - proT«_th» 

(‘LESS.ADD.SUC' ,"!t n. t < < t ♦ SUC(n) )", 

REVRITE.TAC [ADD.CLAUSES ; LESS.THX] 

THEI REPEAT GEI.TAC 

THE* MSJ.CASES.TAC (SPEC "n" LESS.O.CASES) 

THEIL 

[ POP.ASSUM (\th* . REVRITE.TAC [(SYH.RULE th») ; ADD.CLAUSES] ) 

*POP_ASSUM(\th*. ASSUKE_TAC( REVRITE.RULE [th»] 

(SPECL ["0 M ;''n"] LESS.IOT.EQ) )) 

THEi POP_ASSUH(\th». REVRITE.TAC [ (REVRITE.RULE 



[(STH.RULE tha)3 (SPECL ["t”;"n" 3 LESS. ADD.ROIZERO ))]) 

3 );: 


let IAIGE.LEHKA - TAC.PROOF 

((□. "!tl t2 (l:nua->bool) . 

(!t*. tl < t’ A t’ < t2 — > *(f t’)) A ~(i t2) 

— > Cl**- tl < t> A t’ < (t2+l) — > *(i t*))"), 

ureiT smp.Tic 

m ASSW.UST (Vul. ASSUHE.TACC SPEC "t’:nun" (al 5 Ml))) 

THE! ASSUH.LIST (Vul. STRIP.ASSUKE.TAC ( 

IERRITE.RULE [STH.RULE AUDI; LESS.THH] («1 3 ul») 

THEIL 

[ ASSUH_LIST(Yaal . ASSUHE.TAC ( REVRITE.RULE C(«l 1 ul)] («1 3 ul)» 

s 

A1L.TAC 

3 

IBM RES.TAC 

X 

l«t USS_SQOEEZELLDKA - 
lat LESS.EQ.SUCC - 

SYH.RULE (PURE.0I CE.REVRITE.RULE [DISJ.STM3 LESS.THH) in 
PUU.0ICE_RE1OnE.RULE (AUDI] ( 

PURE.OR CE.REURI7E.RULE [LESS.EQ.SUC3 ( 

PURE.IHCE_REiOITE.RULE [LESS.OR.EQ] LESS.EQ.ARTISYH)) ; ; 

X 

l«t atabla.aiga • aaa.dalinition 
('atabla.aiga* , 

"!tl t2 (raa :m»->RVE) (vAddr tblPtrADDR :mia->*addraaa) 

(data :nua->**ordn) («ax:nun->auaaory) (auper :nua->bool) . 
atabla.aiga tl t2 vAddr r*« tblPtrADDR data a«a aupar ■ 

•t*. tl < t* A t’ < t2 — > 

(aupar t’ ■ aupar tl) /V (vAddr t’ » vAddr tl) A 

(rwa t’ * raa tl) /\ (data t’ ■ data tl) /V 

(mem fiutl) /V (tblPtrADDR t> - tblPtrADDR tl)" 

);; 


X 

lat IHP.P.TBI - prova.tha 

(‘DIP_F_TH!‘."!i. (t — > F) - (i - F)", 

6ER.TAC 

TBEI BOOL.CASES.TAC "1" 

TREK REWRITE.TAC 0 )jj 

lat ROT.TO_EQ.COIV - 

(PURE.REWRITE.RULE [IKP.F.THM] o 

(BETA JUILE o (OBCE.REWRITE.RULE [I0T.DEF3 )));; 

X 

lat LESS.AOD.EQ ■ prova.tha 
( ‘ LESS _ ADD. EQ ‘ , 

"!t z y. ((t+x) < (t+y)) » (x < y)", 

IIDUCT.TAC 

THEM REWRITE.TAC [A0D.CLAUSES3 

TBEI ORCE.REWRITE.TAC [COR JU1CT1 (COR JURCT2 (C0RJUHCT2 (ADD.CLAUBE* 
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THn ASH.REVWTE.TAC [LESS.MOIO.EQ] >;; 


l«t BETV.O.T.IS.l - prove.th* 

(‘BETV_0_7_IS_1‘, "0 < 1 A I < 7", 

COIV.TAC (TOP.DEPTH.COIV nu»_COIV) 
THEI~REVRITE_TAC [LESS.O ; LESS JWIO.EQ] ) ; ; 

let BETV_0_7_I3_2 - prova.tha 

( , BEra.0_T_IS_2*, ”0 < 2 /\ 2 < 7 M , 

COIV.TAC (TOP.DEPTH.COIV mm.COIV) 
THEi"bEVRITE_TAC [LESS.O ;LESS JIOIO.EQ] ) 5 i 

let BETV.0.7.IS.4 - prova.tha 

(‘BETV.O.T.IS.A* , "0 < 4 /\ 4 < 7", 

COIV.TAC (TOP.DEPTH.COIV nua.COIV) 
THEI~IEVRITE_TAC [LESS.O ;LESS_HOIO_EQ] > ; ; 

l«t BETV.O.T.IS.S - prove.thm 

(‘BETV_0_7_IS_5‘ . "0 < 5 /\ 5 < 7", 
COIV.TAC (TOP.DEPTH.COIV num.COIV) 

THEI IEHHITE.TAC [LESS.O; LESS JIOIO.EQ] );; 


let BETV.0.6.IS.1 » prove.th* 

(*BETV_0_6_IS_1‘ , "0 < 1 A 1 < 6", 

COIV.TAC (TOP.DEPTH.COIV nua.COIV) 

THEI REVHITE.TAC [LESS.O ; LESS.MOIO.EQ] );; 

let BETV.0.6.IS.2 - prove.th* 

(‘BEra.0_6_IS.2‘ , "0 < 2 A 2 < 6", 

COIV.TAC (TOP.DEPTH.COIV nuB.COIV) 
THEl'REVKITE.TAC [LESS.O ; LESS .HOIO.EQ] ) ; ; 

let BEra_0_6_IS_4 - prove.th* 

(‘BEra.0_«_IS_4‘ , "0 < 4 /\ 4 < 6", 

COIV.TAC (TOP.DEPTH.COIV nua.COIV) 

THEI HEVRITE.TAC [LESS.O; LESS JIOIO.EQ] );; 

let BETV.0_6.1S_5 - prove.th* 

(‘BETV_0_6_IS_5‘ , "0 < 5 /\ S < 6", 

COIV.TAC (TOP.DEPTH.COIV nua.COIV) 

THEI REVRITE.TAC [LESS.O; LESS JIOIO.EQ] );; 


cloee.theoryO;; 



ctrlUnit Jem. ml 


lat Library. Root ■ * /apoch/dl/cagrad/achubart/hol /Library/* ; ; 

lat lib.dir.liat » 

(Rap (cone at Library. Root) 

[‘gataa/ 4 ; ‘bits/* ; ‘aords/ 4 ; ‘numbars/ 1 ; ‘dacimal/ 4 ; ‘assoc/ 4 ]);; 

aat.aaarcb.path (aaarch.pathO 4 l*.*i 

Vapoch/dl/cagrad/achubart/hol/tactica/ 1 ; 
Vapoch/dl/csgrad/schubart/hol/ml/‘ ; 
‘/spoch/dl/csgrad/schubart/hol/thaorias/‘ ; 
*/apoch/dl/cagrad/achubart/hol/liap/vax/' ; 

] 

4 lib.dir.liat);; 


loadf ( 4 anx.dala .ml * ) ; ; 

systam ‘rm /apoch/dl/csgrad/schubart/hol/thaorias/etrlU&it.lam.th 4 ; ; 
nav.thaory ‘ctrlUait.lam* ; ; 

Xloadf ‘abstract 4 ; ;X 

map loadLparant [‘mmu.abs 4 ; ‘tima.aba 4 ; 4 mmu.dai‘ ; 4 arithmetic 4 ] ; ; 


AU1 FACTS 

X 


lat SUC.EQ.DEF - prova.thm 

(‘SUC.EQ.DEF 4 9 "!m n. (SUC m - SUC n) « (m * n)", 
REPEAT GEV.TAC 
THE! EQ.TAC 
THEIL 

[REVRITE.TAC [IIV.SUC] 

» 

STRIP.TAC 

THE! BOOL.CASES.TAC "■ - n" 

THE! ASH.REVRITE.TAC □ 

] 


let nn*_ EQ.TAC ■ 

COIV.TAC (TOP.DEPTB.COIV nun.COIV) 

THE* REVRITE.TAC [SUC.EQ.DEF] 

THE* REVRITE.TAC [I0T.SUC] 

THE* COIV.TAC (0*CE.DEPTH.C0*V STM.COHV ) 

THE* REVRITE.TAC [I0T.SUC] ; ; 

let PHASE.O.UIIQUE * proaa.thn 

( ‘ PHASE.O.UIIQUE ‘ , "*(0 »1)A "(0 - 2) A *<0 - 3)A*<0 - 4)A‘(0 - 5)", 
REPEAT COIJ.TAC THE* nuB.EQ.TAC ) ; ; 

lat PHASE.1.UIIQUE ■ prowa.thn 

(‘ PHASE. 1_U*IQUE‘ , "*<1 - 0) A *(1 - 2) A *(1 - 3)A*(I - 4)A*(1 - S)*\ 
REPEAT COIJ.TAC THE* nun.EQ.TAC ) ; ; 
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l*t PHASE_2_UIIQUE ■ pror«_th» 

(‘PHASE_2_UIIQUE‘ , "~(2 - 0) A '<2 
REPEAT COIJ.TAC THEI nun.EQ.TAC ) ; ; 


1) A '(2 - 3) A* (2 - 4) A” (2 - 5) H , 


lot PHASE. 3 _U1 1 QUE - proT«_tho 

( ‘ PHASE.3.US I QUE ‘ , "'(3 - 0) A *<3 
REPEAT COIJ.TAC THEI nun.EQ.TAC ) ; ; 


1) A '(3 • 2) A" (3 - 4) A* (3 - 5)”, 


lot PHASE.4.UIIQUE » pro**_thn 

CPHASE_4_UIIQUE‘ , "‘(4 - 0) A "(4 
REPEAT COIJ.TAC THEI nnn.EQ.TAC ) ; ; 


1) A '(4 - 2)A'(4 - 3) A* (4 - 6)”, 


lot PHASE.6.UIIQUE ■ prooo.thn 

CPHASE.S.UIIQUE' , "*(5 - 0) A "(5 
REPEAT COIJ.TAC THEI nun.EQ.TAC ) ; ; 


1) A *<S - 2) A"(5 - 3)A*(5 - 4) M , 


X — 

Control Unit Lonnoo 


lot SIX.PHASES.OILT - prooo.thn 
(‘SIX.PHASES.OILT* , 

-! nuxC phono roo tmpC tblC 1C xlot dono ock rRoq roqln oupor notch 
•ocOI Tdono. 

contr olUnit .opoc roqln oupor roo notch ooeOI Idono nuxC tnpC tblC 1C 
rRoq xlot dono ock phooo ”> 

(!t. (phooo t - 0) V (phooo t - 1) \/ (phooo t - 2) \/ 

(phooo t ■ 3) \/ (phooo t ■ 4) \/ (phooo t ■ 5)) M , 

REPEAT GE1.TAC 

THEI PURE.0ICE_REVRITE.TAC ( controlUnit.opoc ] 

THEI STR1P.TAC 
THEI IIDUCT.TAC 
THEIL 

[X boo* cooo X 

ASSUH.LI ST (\ool . HAP .EVERY ASSUME.TAC( COIJUICTS ( 

(REVRITE.RULE [PAIR.EQ] (ol 2 ool) ) ))) 

THEI P0P.ASSUH (Ythn . REVRITE.TAC [thn] ) 

. i — — — — — - induction — — X 

PURE.REVRITE.TAC [ADDl] 

THEI P0P.ASSUH (\thn . DISJ.CASES.TAC (thn) ) 

THEIL 

[1 cooo 0 X 

ASM.CASES.TAC "(roqln t):bool" 

THEI P 0 P_ASSUH_LIST(\ool. REVRITE.TAC ( COIJUICTS ( 

REVRITE.RULE ([(ol 1 ool);(ol 2 ool)] 4 [PAIR.EQ]) 

(SPEC .ALL (ol 3 ool)) ))) 

POP. ASSUH (\thn . DISJ.CASES.TAC (thn) ) 

THEIL „ 

[X 

ASH.CASES.TAC "(oupor t)sbool" 

T WFQ ASH.CASES.TAC "(iBIT(r»o t) A notch t):bool" 

THEI P 0 P_ASSUH_LIST(\ool. REVRITE.TAC ( COIJUICTS ( 

REVRITE.RULE ([(ol 1 ool);(ol 2 ool);(ol 3 ool) ;PAIR_EQ] • 
(COIJUICTS (PHASE. l.UII QUE) ) ) (SPEC.ALL (ol 4 ool))))) 

P0P_ASSUH(\thn. DISJ.CASES.TAC (thn) ) 
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■X 


THEM. 

IX cm* 2 

ASH.CASES.TAC "(idon* t):bool" 

THE! P0P_ASSUJI_LIST(\m 1 . REtfRITE.TAC ( COIJUICTS ( 

REWRITE.RULE ((COIJUICTS (PHASE.2.UIIQUE) ) « [PAIR.EQ] ) 
(REWRITE.RULE [(*1 1 ul);(«l 2 Ml)] 

(SPEC. ALL (*1 3 Ml))) ))) 

• 

POP.ASSUHCUhm. DISJ.CASES.TAC (thn) ) 

THEIL 

R cm# 3 % 

ASH.CASES.TAC "(idon# t):bool" 

THEM ASH.CASES.TAC "(aecOI t):bool" 

THEM P0P.ASSUH.LIST(\m1. REVRITE.TAC ( COIJUICTS ( 

REWRITE.RULE ((COIJUICTS (PHASE.3.UIIQUE) ) • [PAIR.EQ]) 
(REWRITE.RULE [(#1 1 ul);(«l 2 ul);(«l 3 Ml) ] 

(SPEC. ALL (#1 4 Ml)) )))) 

; % — cm# 4,5 — X 

POP.ASSUH ( \ thn . DISJ.CASES.TAC (thm) ) 

THEI POP.ASSUH.LIST(\m1. REVRITE.TAC( COIJUICTS ( 
REWRITE.RULE ((COIJUICTS (PHASE.4.UIIQUE) ) • 

(COIJUICTS (PHASE. 5.UIIQUE) ) • [PAIR.EQ]) 
(REWRITE JIULE [(#1 1 ul)] (SPEC.ALL (#1 2 m1))) ))) 
]]]]] );; 


I 

SIX.PHASES.OILT - 

I* fauxC phM# n« tapC tblC 1C zlat don# ack rR«q r#qln super Batch 
s#cOK ldon«. 
controlUnit.apec 
r#qln 
super 
re# 

Batch 

a#cOK 

Idon# 

auzC 

tmpC 

tblC 

1C 


rR#q 

zlat 

don# 

ack 

phM# “> 

(!t. 

(phM# t * 0) \/ 

(phase t * 1) \/ 

(phM# t ■ 2) \/ 

(phM# t • 3) \/ 

(phM# t » 4) \/ 

(phM# t * 5)) 

Run tin#: 1235.6a 

Intermediate th#or#M generated: 73322 


(Holly : Run tine: 2728.2a) 
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l«t I0T_PHASE_2_THEI_0 - proT«_th* 

( ‘ I0T_PHASE_2_THEI_0 ‘ , 

"• auxC phaa* rv« tapC tblC 1C xlat don* ack rR*q r*qln aup*r natch 

a*cOK idon*. . 

controlUnit.apac r*qln aup«r rw* natch a*cOK fdon* nuxC tnpC tblC 1C 
rR*q xlat don* ack phaa* “> 

(ft. (phas* t - 2) “> * (phaa* (t+1) " 0))", 

REPEAT GEI.TAC 

THEI PURE_01CE.REVRITE.TAC [ controlUnit.apac ] 

THE! STRIP.TAC 
THEI STRIP.TAC 
THEI STRIP.TAC 

THE! POP.ASSUH.LIST (\aal . ASSUME_TAC( 

REVRITE.RULE [<*1 1 aal) ;PHASE_2_UIIQUE] (SPEC.ALL (*1 2 aal)))> 
THE! ASH CASES.TAC "(fdon* t):bool" 

THEI POP.ASSUH.LIST (\aal . HAP .EVERT ASSUHE_TAC( C01JUICTS ( 
REVRITE.RULE C(«l 1 aal) iPAIR.EQ] (*1 2 aal) ))) 

THE! STRIP.TAC 

THEI POP.ASSUH.LIST (\aal . REVRITE.TAC t (REVRITE.RULE 

((C01JUICTS PHASE.0.U1IQUE) • [(*1 1 aal)]) (*1 2 aal))]) );; 


I0T.PHASE.2.THEI.0 - 

l- fnuxC phaa* ra* tmpC tblC 1C xlat don* ack rR*q r*qln aup*r natch 
secOK fdone. 
controlUnit.spec 
reqln 
super 
m 
■atch 
secOK 
fdone 
buxC 
tmpC 
tblC 
1C 

rReq 

xlat 

done 

ack 

phase “> 

(ft. (phaa* t - 2) “> *(phaa«(t 1) - 0)) 

Run tin*: 69.5a 

lBt«rn*diat« th*or*na g*n«rat*d: 6905 


(Holly: Run tin*: 233.6a) 


l«t PHASE.O.IDLE “ proT«_thn 
( ‘ PHASE.O. IDLE * , 

"! nuxC phaa* r»« tnpC tblC 1C xlat don* ack rR*q r*qln aup*r natch 

aacOK fdon*. _ 

controlUnit_ap*c r*qln aup*r rw* natch **c01 fdon* nuxC tnpC tblC 1C 
rR«q xlat don* ack phaa* —> 

(ft. (phaa* t - 0) — > ( (tblC t - F) A (nuxC t - 0)) )", 

REPEAT GEI.TAC 
THEI STRIP.TAC 
THEI IIDUCT.TAC 
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THEIL 

[X bu« cue X 

POP_ASSUH(\thn. KAP.EVERT ASSUHE_TAC( COIJUICTS ( 

REVRITE.RULE [controlUnit.apac] thn ))) 

THE! POP_ASSUH_LIST(\ul . REVRITE.TAC ( COIJUICTS ( 

REVRITE.RULE [PAIR.EQ] (al 2 ul)))) 

;X induction cue X 
REVRITE.TAC [AUDI] 

THEI ASSUN.LIST (\ul . ASSUHE_TAC( SPEC. ALL ( 

REVRITE.RULE [(«1 2 ul)] (SPEC.ALL SII.PHASES.OILT)))) 

THEI ASSUM_LIST(\ul. KAP.EVERT ASSUKE_TAC( COIJUICTS ( 

SPEC.ALL (REVRITE.RULE [controlUnit.apac] («1 3 ul)))) ) 

THEI POP.ASSUH_LIST(\ul . KAP.EVERT ASSUME.TACCroT (subtract ul 
[(«1 2 ul);(ol 4 ul) ; (ol 5 ul)]))) 

THEI ASSUH.L1ST (\ul . DISJ.CASES.TAC (ol 2 ul) ) 

THEIL 

[X — ■■■ ■ phu* 0 X 

ASH.CASES.TAC "(roqln t):bool" 

THEI POP.ASSUH.LIST (\ul . REVRITE.TAC ( COIJUICTS ( 

REVRITE.RULE ([PAIR.EQ; (al 1 ul);(«l 2 ul)]« 

(COIJUICTS PHASE.O.UIIQUE)) (SPEC.ALL (ol 3 ul)) ))) 
;POP_ASSUK(\tha. DISJ.CASES.TAC (thn) ) 

THEIL 

[X phuo 1 X 

ASH.CASES.TAC "(aupar t) :bool" 

THEI ASH.CASES.TAC "((■BIT(r»« t) A natch t)):bool" 

THEI POP.ASSUH.LIST (\ul . REVRITE.TAC ( 

(COIJUICTS PHASE.5.UIIQUE) • (COIJUICTS ( 

REVRITE.RULE ( [PAIR.EQ ; («1 1 ul);(al 2 ul); (ol 3 ul)] • 
(COIJUICTS PHASE.l.UIIQUE) ) (SPEC.ALL (ol 4 ul)) )))) 
;POP_ASSUK(\thn. DISJ.CASES.TAC (thn) ) 

THEIL 

[X phua 2 X 

ASH.CASES.TAC "(fdona t):bool" 

THEI POP_ASSUH.LIST(\ul . REVRITE.TAC ( (COIJUICTS PHASE_2.UIIQUE)4 
(COIJUICTS PHASE.3.UIIQUE) 4 (COIJUICTS ( REVRITE.RULE 
([PAIR.EQ; («1 1 ul) ; («1 2 ul)]4(C0IJUICTS PHASE.2.UIIQUE) ) 
(SPEC.ALL («1 3 ul)) )))) 

;POP_ASSUH(\thn. DISJ.CASES.TAC (thn)) 

THEIL 

[X phua 3 X 

ASH.CASES.TAC "(fdona t):bool" 

THEI ASH.CASES.TAC "(aacOI t):bool" 

THEI POP.ASSUH.LIST (\ul . REVRITE.TAC ( 

(COIJUICTS PHASE.3.UIIQUE) • (COIJUICTS ( REVRITE.RULE 
( [PAIR.EQ; (al 1 ul);(al 2 ul);(al 3 ul)]« 

(COIJUICTS PHASE.3.UIIQUE) ) (SPEC.ALL (al 4 ul)) )))) 

;X phua 4,S X 

POP.ASSUH (\thn . DISJ.CASES.TAC (thn) ) 

THEI POP.ASSUH.LIST (\ul . REVRITE.TAC ( 

(COIJUICTS PHASE.5.UIIQUE) 4 (COIJUICTS PHASE.4.UIIQUE) 4 
(COIJUICTS ( REVRITE.RULE 

([PAIR.EQ; (al 1 ul)] 4 (COIJUICTS PHASE_4.UIIQUE)4 
(COIJUICTS PHASE.S.UII QUE ) ) (SPEC.ALL (al 2 ul)) )))) 

]]]] ] );: 


X — 

PHASE.O.IDLE - 

I- inuzC phua raa tnpC tblC 1C zlat dona ack rRaq raqls nopar natch 
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••cOK fdono. 
controlUait.spoc 

rnqln 

supnr 

m 

Bitch 

nncOK 

idono 

auxC 

tBpC 

tblC 

1C 

r!Uq 

xlat 

dona 

ick 

(!t. (phnno t - 0) — > (tblC t - F) /\ (nu*C t » 0)> 
Inn timo: 721.0a 

Intarvadiata thaorans ganaratad: 66258 


lat CTRL.UIIT.EXP1ID - prova.thn 
( * CTRL.inriT.ElPAHD ‘ # 

"controlUnit.apac raqln aupar raa natch aacOI fdona nuxC 
tmpC tblC 1C rRaq xlat dona ack phaaa **> 
ft. 

nuxCCt ♦ 1) f tnpC(t + 1) ,tblC(t ♦ 1) ,lC(t ♦ D.rRaqCt ♦ 1), 
xlat(t ♦ l),done(t ♦ l),ack(t ♦ l),phase(t ♦ 1) ■ 

((phaaa t ■ 0) ■> 

(raqln t ■> (O.F.F.F.F.F.F.F.l) I (O.F.F.F.F.F.F.F.O)) I 
((phaaa t ■ 1) ■> 

(aupar t ■> 

((«BIT(r*a t) A natch t) -> 

(O.F.T.F.F.F.F.F.S) I 
(0,F,F,F,F,F,T,T,0) ) I 
(2,T,F,T,T,T,F,F,2)) I 
(((phaaa t - 2) /\ idona t) »> 

(1,F.F,F,T,T.F.F,3) I 
(((phaaa t - 3) A idona t) -> 

(aacOK t -> (0,F,F.F.F.T.F,F,4) I (0,F.F,F,F,F,T,F,0)) I 
((phaaa t “ 4) ”> 

(O.F.F.T.F.T.T.T.O) I 
((phaaa t ■ 5) ■> 

(O.F.F.F.F.F.T.T.O) I 

(nuxC t.tnpC t.tblC t.lC t. F ,xlat t.dona t.ack t. 
phaaa t)))>>>>". 

STRIP.TiC 

THE! P0P_ASSUM( \thn. ACCEPT.TAC ( 

(C0BJU*CT2( (REURITE.RULE [controlUnit.apac] thn)))) ));; 


X 

CTRL.UI I T.E1P AID - 
l- controlUnit.apac 
raqln 
aupar 
rva 
natch 
aacOK 
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idem* 

muxC 

tapC 

tblC 

1C 

rReq 

slat 

don* 

ack 

phaM »> 

(!t. 

*oxC(t ♦ l),tmpC(t + 1) ,tblC(t ♦ 1) ,lC(t ♦ 1) ,rR*q(t ♦ 1), 
xlat (t ♦ l) t don*(t ♦ l),ack(t + l)»phas*(t + 1) ■ 

((^iu« t ■ 0) ■> 

(reqln t ■> (O^F.F.F.F.F.F.F.l) I <0,F.F,F,F,F, F,F,0» I 
((phua t » 1) *> 

(supar t ■> 

((wBITCree t) A match t> *> 

(0,F,T,F,F,F*F*F,5) I 
(0 t F t F,F,F,F ,T,T,0)) I 
(2,T,F,T,T f T f F # F,2)) I 
(((phase t - 2) A fdona t) ■> 

(l,F t F,F,T t T>F t F,3) I 
(((phase t ■ 3) A idon* t) ■> 

(secOK t ■> (0,F t F # F,F*T,F, F t 4) ! (0 t F v F»F,F,F,T,F,0)) I 
( (phase t ■ 4) ■> 

(0 f F t F,F,F,T/M,0) I 
((phase t ■ 5) *> 

(0*F,F t F,F ^,1,1,0) | 

CmnxC t »tmpC t.tblC t,lC t » F ,xlat t,done t,ack t, phase t)))))))) 
ftim time: 33.7s 

Intermediate theorems generated: 2782 


dose.theoryO ; ; 
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mmu.prf.xnl 

X«t Library.Eoot ■ ‘ /apoch/dl/csgrad/schubart /hoi/ Library/* ; ; 


lat lib.dir.liat ■ 

(map (concat Library.Root) 

[Ogatas/ 1 ; 'bits/ 4 ; ‘words/ 4 ; ‘nunbars/ 4 ; ‘dacinal/ ; aaaoc/ ]);; 


•at .aaarcb^path (*aarch_path() 


• [ 4 . 4 ; 

4 /apoch/dl/cagrad/achubart/hol/tactic*/ 4 ; 

1 /apoch/dl/cagrad/schubart/hol/nl/* ; 

* /apoch/dl/csgrad/schubart/hol/thaorias/ 4 ; 
Vapoch/dl/cagrad/achubart/hoX/liap/TWt/ 4 ; 

3 

• lib.dir.list);; 


loadf(‘anx_dafs.ml 4 );; 

fl j at aa *rm /apoch/dl/cagrad/achubart/hol/thaorias/wi_prf .th 4 ; ; 

maw.thaory ‘mmu.prf 4 ; ; 
loadf ‘abstract';; 
load! ‘aiiat.tac.ml 4 ; ; 


„ r load^parant [ 4 nau_aba 4 ; ‘tina.abs 4 ; 4 nmu_daf 4 ; ‘ctrlUnit.laa 4 ; 4 *»u_anz 4 ] i 


lat rap.ty ■ abatract.typa ‘mmu.aba 4 ‘aagld 4 ;; 


X 

AU1 FACTS AID DEFS 


lat lina tok t ■ 
if (is_aq t) 

than (lat z » fat (destjrarCrator (lha(t)) )) 
in (mam z (words tok) ? falsa)) 
alsa ( if (is.nag t) 

than (lat y *f at (dast_war(rator(dast_neg(t) ) ) ) 
in mam y (vorda tok)) 
alsa (lat y ■ f at (dast j?ar(rator(t) ) ) 
in mas y (words tok)) ) 

? falsa;; 

latrac lints tok t - 
if (is.conj t) 
than (lat z ■ (dawt.conj t) 

in (lat b - (lina tok (fat z>) 
in (if b than trua 

alsa (linas tok (and z)) ))) 

alsa (lina tok t) 

? falsa;; 

latrac unit tok t ■ 
if (is.comb t) 

than (lat z - fat (dast.conb t) in unit tok z) 

•ls« «l«t x - f*t(d«»t_con*t t) i» X (xords tok)) ? <»!••) :: 
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l«t FIID.ASSUM 1 ul > hd(lilter (f o concl) Ml);; 

lat FIID.SPEC.UIIT ana’ Ml - 
(SPEC a (REWRITE.RULE [u] 

(FIID.ASSUM (unit u’) Ml) ));; 

lat FMD.ASSUR2 i aal » hd(tl(iiltar(i e concl) aal));; 

lat FHD_SPEC_UIIT2 a u u’ Ml “ 

(SPEC a (REWRITE.RULE [u] 

(FHD.ASSUH2 (unit n’) ul) ));; 

lat FI1D_SPEC_HEH_UIIT a Ml - 

(SPEC a (C0IJUICT2 (REWRITE.RULE [aaaoryUnit.apac] 
(FUD.1SSUH (unit 'aaaoryUnit.apac 1 ) ul) )));; 

lat nLTER.ASSlM.TAC thal f - 
ASSUB_LIST(\m1. ASSUME_TAC( REWRITE.RULE thal 
(FIRD.ASSUK t Ml) ));; 

lat (MIT a Ml * (FIKD.ASSUH (unit u) Ml) ; ; 

lat UIE 1 Ml - (FIID.ASSUK (linaa 1) Ml);; 


lat LESS.COWV z - 

REWRITE. RULE [LESS.MOIO.EQ ; LESS.O] ( 

REWRITE.RULE [ADD ; ADD.STM] ( (TOP.DEPTH.CDIV nua.COIV) z));; 

lat RAIGE.LEMHA ■ TAC.PROOF 

((D. "!tl t2 (f :nua->bool) . 

(!t*. tl < t’ A t’ < t2 — > ~(i t’)) A *(f t2) 

— > (!t’. tl < t’ A t’ < (t2+l) — > *(f t’))"), 

REPEAT STRIP.TAC 

THE! ASSUH.LIST (\ul. ASSUME.TAC( SPEC "t’lnua" (al 5 Ml))) 

THE I ASSUH.LIST (\ul. STRIP. ASSUME.TAC ( 

REWRITE.RULE [STM.RULE ADD1 ; LESS.THM] (al 3 Ml))) 

THEIL 

[ ASSUH_LIST(\m1. ASSUME.TAC ( REWRITE.RULE [(al 1 Ml)] (al 3 Ml))) 
» 

ALLJTAC 

1 

THEJ RES.TAC 

/ii 

l#t BAIGEJTAC hi lo - 
COIJ.TAC 
THEVL 

BEVRITE.TAC [(ma.COIV hi );(SPECL LESS.ADD.SUC)] 

REPEAT 

(PURE.01CE_REWRITE.TAC [(SYM.RULE T2) ; (STM.RULE T3) ; (STM.RULE T4) ; 

(STM. RULE T5) ; (STM.RULE T6) ; (STM.RULE T7)] 
THEI HATCH.MP.TAC RAIGE. LEMMA 
THE! COIJ.TAC 
THEIL 

[REWRITE.TAC [(STM.RULE ADD1) ; LESS.LESS.SUC] 

ASM.REWRITE.TAC □ 
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] 


) 3 ;; 


let 1XSS.ADD.EQ1 - 

X "It y. t < (t ♦ y) - 0 < y” X 
(GEI "t" 

(REWRITE.RULECLESS.O; (COIJUICTK C0RJURCT2( 1DD.CUUSES)))] 
(SPECL ["t" ;"0"3 LESS.ADD.EQ) ) 

);; 

let RARGE.RULE th - 

(REVRITE.RULE [LESS.KORO.EQ ; LESS.ADD.EQ : LESS.ADD.EQ 1 ; LESS.OJ 
( COHV.RULE (TOP.DEPTH.CORV nus.CORV) th ) );; 


X«t EXPAID.TBLPTR.1UnX s T ul » 

(REVRITE.RULE [(LIRE ‘tblC* asl);(LIRE 'tblPtr' m 1);T] 
(SPEC • (COIJUICTK (REVRITE.RULE 
[regUnit.spec ; bit False] 

(FIID.ASSUK2 (unit * regUnit.spec * ) Ml)) ))) );; 

let IIST.SIG.LIST tul- 

( ORCE.REVRITE.RULE [ADD1] 

(REVRITE.RULE [LESS.SUC.REFL; SYK.RULE ADD1; 

LESS.ADD.EQj LESS.ADD.EQ 1] 

(PIID.SPEC.UIIT t stable.sigs ‘stable.sigs* Ml) )):; 

let ■OT.FOR.TBLPTR.TAC - 
EXISTS.TAC "2" 

THE! PURE.ORCE_REVRITE.TAC [Rext] 

THE! ASSUK_LIST(\m 1. REVRITE.TAC [(LIIE ‘pha»«‘ ul): 

(LIRE ‘done* m 1);(LIIE ‘ack* Ml); (LIRE ‘tblPtr* m1)] ) 

THE! X determine rAddr (t+2) X 
ASSUK.LI ST (\m1 . ASSUKE.TAC ( 

(REVRITE.RULE [(LIRE ‘muxC* m 1);T2;(LIRE ‘xlat‘ Ml)] 
(FIRD.SPEC.URIT “tel" muxUnit.spec ‘muxUnit.spec* Ml) ))) 
THEi CORJ.TAC X create range and MU.epec eubgoala X 
THERL X range subgoal X 

[RARGE.TAC ”2" "1" 

; X MU.epec part X 

ORCE.REVRITE.TAC [MU.epec; stable.sigs] 

THE* STRIP.TAC 

THER X instantiate stable. eigs X 
POP_ASSUK(\th*. IUP.EVERY ASSUKE.TAC ( CORJURCTS ( 

SYK.RULE ( ORCE.REVRITE.RULE [ADD1] 

(REVRITE.RULE [LESS.SUC.REFL; SYK.RULE ADD 1 ; SYK.RULE T2] 
(SPEC "tel" thm) ) ) ) )) 

THER FILTER.ASM.REVRITE.TAC (lines ‘super* )□ 

THER PURE.ORCE_REVRITE.TAC [superKode] 

THEi ALL.TAC 

1 .. 

Jet 

let URPAIR.TAC 1 - 

P0P.ASSUKuLIST(\m1 .KAP.EVERT ASSUKE.TAC ( ( 

(rev (subtract Ml[(el l Ml)])) 1 
[ (REVRITE.RULE [PAIR.EQ] (el 1 Ml))] )));; 

let CORTROL.LIRE.TAC tlesT- 

ASSUK_LIST(\m1. ASSUKE.TAC ( 
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REWRITE.RULE ( COBJUBCTS 1m t 

[(LIRE ‘fdona* Ml) ;T; (LIRE ‘phMa' Ml)]) 

(SPEC t (MATCH.MP CTRL.UBIT.EIPAID 
(URIT ‘controlUnit.spac' Ml) )) ));; 

lat RADDR.TAC t T - 

ASSUM_LIST(\m1. ASSUME_TAC( 

(REWRITE.RULE [(al 1 Ml) ;T; (LIRE ‘xlat* Ml)] 
(FIBD.SPEC.UBIT t auxUnit.apac 'auxUnit.apac' Ml) )));; 


X 

ABSTRACT MMU PROOF 

X 


l«t KKU.PROOF • prora.tha 
CMMU.PROOF' , 

"! (r :"r«p_ty) (rAddr rAddr :nua->*addraaa) (rData :nua->a«ordn) 

(m :nua->RWE) (aupar r«qln xlat ack dona :nua->bool) aaa 
(tblPtr : nua->»rordn) (tblPtrADDR :nua->*addr«»») (phMe :nua->nua). 
mu. imp r Tlddr rData raa aupar tblPtr tblPtrADDR raqln 
rAddr dona ack xlat aaa phMa “> 

!t . (phut t ■ 0) “> 

(raqln t) *>(?c. Raxt dona (t,t+c) A ( phMa (t+c) “ 0 ) A 
((atabla.aiga t (t+c) rAddr raa tblPtrADDR vData 

aaa aupar) “> 

(aau_spac r (rAddr t) (raa t) (tblPtrADDR t) (tblPtr t) 
(vData t) (aaa t) (aupar t) ■ 

(ack (t+c), rAddr(t+c), tblPtr(t+c)) ))) 

I ( (ack (t+1) - F) /\ 

(phMa (t+1) • 0) A 
(tblPtr (t+1) - tblPtr (t) ) )". 

REPEAT GER.TAC 

THEE PURE.REWRITE.TAC [aau. lap; dataPath] 

THEE REPEAT STRIP.TAC 

THEE ASSUH_LIST(\m 1. ASSUME.TAC ( REWRITE.RULE [(al 1 ul)] ( 

SPEC.ALL ( REWRITE.RULE [(URIT 'controlUnit.spac' ul)] 

(SPEC.ALL PHASE.O.IDLE) ) ) ) ) 

THEE ASSUM_LIST(\m1. ASSUME.TAC ( REWRITE.RULE 

(CORJURCTS PHASE.O.URI QUE • [(LIRE ‘phMa' Ml)]) 

(SPEC "t" (MATCH.MP CTRL.URIT.EIPARD 
(URIT ‘controlUnit.apac* Ml) )) )) 

THEE ASM.CASES.TAC "(raqln t):bool" 

THEE AS SUM. LI ST (\Ml. REWRITE.TAC [(al 1 ul)] ) 

THEE ASSUM_LIST(\m1. ASSUME.TAC ( 

(REWRITE.RULE [(al 1 Ml)](al 2 Ml) ) )) 

THEE P0P_ASSUM_LIST(\m1. RAP. EVERT 

ASSUME_TAC(rar (subtract Ml[(al 3 Ml)]))) 

THEE 

ASSUH_LIST(\m1. ASSUKE_TAC( COBJUECTK (REWRITE.RULE 

[ragUnit.apac;bitFalaa] (FIED.ASSUM2 (unit ‘ragUnit.apac*) Ml)) ))) 
THEE ASSUM_LIST(\m1. ASSUME.TAC 

(REWRITE.RULE [(LIRE ‘tblC* Ml)] 

(SPEC “t" (al 1 Ml)) ) ) 

THEE X unpair control linaa at (t+1) X 
ASSUH_LIST(\m1. ASSUME.TAC ( 

(REWRITE.RULE [PAIR_EQ](al 3 Ml)) )) 
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THE1 POP.ASSUM.LIST ( \asl . KAP.EVERT 

ASSUKE_TAC(reT( subtract asl[(al 4 aal)]))) 
X gat rid of 'raqln caaa X 


TOIL 

[ ALL.TAC; ASH.BEVRITE.TACO 3 
THEI X datarmina tblPtr (t+2)X 
ASSUH.LIST (\aal . ASSUHE_TAC( 

(EXPAID.TBLPTR.BULE "t+1" T2 aal))) 


ASSUH.LIST (\aal . ASSUHE.TAC( (REVRITE.RULE 

(COIJUICTS PRASE.1.UIIQUE • [T2;(LIIE ‘phaaa* aal)]> 
(SPEC “t+1" (HATCH.HP CTRL.U1IT.EXPAID 
(UIIT * controlUnit.apac * aal) )) ))) 

... caaa analysia — X 

THEI 1SH.CASES.TAC "(aupar(t ♦ l)):bool” 

TEE1L t 

ASH.CASES.TAC "(aBIT (raa(t ♦ l))):bool" 


THEtfL [ 

ASH.CASES.TAC "(addrEq (r:*rap_ty) (aAddr t.tblPtrADDR t)):bool" 

TBEIL [ „ 

— (i.l.l) super, sBIT , addrEq - * 1 

X datarmina control.linas (t+2) X 
ASSUH.LIST (\asl . ASSUHE.TAC ( (REVRITE.RULE 
[PAIR.EQ ; (LIIE ‘aupar' aal); (al 2 aal); 

(REVRITE.RULE [(al 1 aal)] 

(FIID.SPEC.UBIT "t" matchUnit.apae ‘natchUnit.apac aal; ) 

] (al 4 aal) ))) 


THE! X datarmina tblPtr(t+3) X 
ASSUH_LIST(\aal. ASSUME.TAC( 
(EXPAID.TBLPTR.RULE "t+2" T3 aal))) 

THEM X datarmina control.linas (t+3) X 

ASSUH LIST(\aal. ASSUKE.TAC( (REVRITE.RULE 

(COIJUICTS PHASE.S.UIIQUE • [(LIIE ‘phaaa* 
(SPEC "t+2" (HATCH.HP CTRL.UIIT.EXPAID 
(UIIT ‘controlUnit.apac 1 aal) )) ))) 


aal) ;T3;PAIR_EQ] ) 


THEI EXISTS.TAC "3" 

THEI PURE.DICE.REVRITE.TAC [laxt] 

THEI ASH.REVRITE.TAC 0 

THEI CDIJ.TAC X craata range and mmu.apac subgoals X 
THEIL 

[ RAIGE.TAC "3" "2" 


OICE.REVRITE.T AC [mmu.apac] 

THEI STRIP.TAC 

THE! X axpand atabla.aigs f or (t+1) and (t+2) X 

ASSUH LIST(\aal. HAP .EVERT ASSUHE.TAC ( COIJUICTS ( 

STH.RULE ( OICE.REVRITE.RULE [ADD1] 

( (COIV.RULE LESS.COIV) 

(REVRITE.RULE 

[•LESS ADD EQiLESS SUC.REFL; STH.RULE ADD1; STH.RULE T2] 


(SPEC "t+1" (REVRITE.RULE [atabla.aigs] (al 1 aal))) )) 
THEI ASSUH.LIST (\aal. ASSUHE.TAC 
(PURE.OICE_REVRITE.RULE 
[(STH.RULE ( (TOP.DEPTH.COIV num.COIV) "2"))] 
(RAIGE.RULE 

(SPEC "t+2" (REVRITE.RULE [atabla.aigs] (al 7 

THEI 

FILTER.ASH_REVRITE.TAC (linaa ‘ aupar * ) □ 

THEI PURE.OICE.REVRITE.TAC [suparHoda] 


) ))) 


sl)» ) ) ) 
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THE! ASSUM_LIST(\asl. REWRITE.TAC [ PAIR.EQ; 

(«1 13 Ml); (el 5 ul)| X wBIT XCel 12 Ml) X addrEq X]) 

THE! X show vAddr t - rAddr(t+3) X 
RADDR.TAC "t+2" T3 

THEM ASSUM_LIST(\m 1. REWRITE.TAC [(el 1 ul);(«l 2 ul)] ) 

] 

I 

X — (1.1.2) super, wBIT, 'addrEq X 

ASSUM_LIST(\m 1. ASSUME.TAC ( REWRITE.RULE [(*1 1 ul)] 

(FIRD.SPEC.URIT "t" mat chUnit .spec 'matcbUnit.spec* ul) )) 

THEM ASSUM_LIST(\m1. HAP.EVERT ASSUME.TACC CORJURCTS( 

REWRITE.RULE [PAIR.EQ; (el 1 Ml); (el 3 Ml);(el 4 Ml)] (el 5 Ml) ))) 
THEI ■OT.FOR_TBLPTR.TAC 

THE! ASSUM_LIST(\m1. REWRITE.TAC [PAIR.EQ; 

(REWRITE.RULE [STM.RULE (LIRE ‘vAddr* Ml)] (LIRE ‘rAddr‘ ul) ); 
(«1 18 Ml) X addrEq X]) 

1 : 

X — (1.2) nptr, -wBIT X 

ASSUH_UST(\m1. MAP.EVERT ASSUME_TAC( CORJURCTS( 

REWRITE.RULE [PAIR.EQ; (el 1 Ml); (el 2 ul)] (el 3 Ml) ))) 

THEI 10T.F0R_TBLPTR.TAC 

THEI ASSUH_LIST(\m1. REWRITE.TAC [PAIR.EQ; 

(REWRITE.RULE [STM.RULE (LIRE ‘vAddr* Ml)] (LIRE ‘rAddr' ul) ); 
(REWRITE.RULE [STM.RULE (LIRE ‘rwe‘ Ml)] («1 17 ul) ) 

X wBIT X ]) 

] 

; ALL.TAC 

] X end super cum X 

X — (2) ‘super X 

THEI X determine addOut (t+1 ) X 

ASSUM.LIST(\m1. ASSUME.TACC 
REWRITE.RULE [(el 8 Ml); 

(REWRITE.RULE [ 

(FIRD.SPEC.URIT "t" splitUnit.spec ‘splitUnit.spec* Ml)] 
(FIRD.SPEC.URIT2 "t" sui3Unit_spec *mux3Unit_spec‘ ul) ) 

s 

(REWRITE.RULE [LIRE ‘muxC‘ ul] 

(FIRD.SPEC.URIT "t" mux3Unit_spec ‘aurSUnit.spec* ul) ) 

] 

(FIRD.SPEC.URIT "t" addUnit.spec ‘ addUnit.spec ‘ ul) )) 

THER X determine latOut(t+l) X 
ASSUM_LIST(\m1. ASSUME.TAC( 

(REWRITE.RULE [(tl 1 Ml); (LIRE ‘1C* Ml)] 

(FIRD.SPEC.URIT »t" latchUnit.spec ‘latchUnit.apec' ul) ))) 

THEI X determine fdone value at (t+2) X 
ASSUM_LIST(\m 1. ASSUME.TACC COR JURCT2 
(REWRITE.RULE [T2; (LIRE ‘rReq* ul)] 

(FIRD_SPEC.MEM.USIT "t+1" Ml)) )) 

THER X unpair control linwa at (t+2) X 

P0P_ASSIBLLIST(\m1. MAP.EVERT ASSUME.TAC ( ( 

(rev(aubtract ul[(el 5 ul)])) 8 
[(REWRITE.RULE [PAIR.EQ; (LIRE ‘super* Ml)] («1 6 ul))] ))) 

THEI X determine lat0ut(t+2) X 
ASSUM.LIST(\m1. ASSUME.TAC ( 

(REWRITE.RULE [(el 1 m 1);(LIRE 'latOut* m1);T2] 

(FIRD.SPEC.URIT "t+l" latchUnit.spec ‘latchUnit.apec* Ml)))) 

THEI X determine rAddr(t+2) X 
RADDR.TAC "t+l" T2 

X determine control lines at (t+3) X 
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THE! 

COITROL.LIIE.TAC "t+2” PHASE.2.UIIQUE T3 
THEI X dotomin* latOut (t+3) X 
ASSUK.LIST (\ul • ASSUKE.TACC 

(REHRITE.RULE [CLUE ‘latOut ‘ asl);T3; 

(REHRITE.RULE [PAIR_EQ](*1 1 asl))] 

(Firo.SPEC.UIIT "t+2" latchUnit.spoc ‘1st chUnit.spoc 
THEB X dotomin* aoaory valuo at <t+3) X 
ASSUK_LIST(\asl. assuke.tacc 
(REHRITE.RULE [CLIIE *rRoq‘ asl);T3] 

(riro_SPEC.BEM.UIIT "t+2" ul)))> 
r un X dotomino tbIPtr (t+3)X 
AS SUM. LI ST (\ul . ASSUKE.TACC 

(EXPAro.TBLPTR.RULE "t+2" T3 asl))) 

THEM X impair control lino* »t Ct+3) X 
UIPAIR.TAC 4 

X dotomin# control linos at (t+4) X 
THEM 

COITROL.LIIE.TAC "t+3" PHASE.2.UI I QUE T4 
XHEi X dotomino add0ut(t+4) X 
ASSUM.LlSTC\a*l. ASSUJIE.TACC 

REWRITE .RULE [PHASE. 2. US I QUE; T4 ; onollnit.spoc ; 

(LIRE ‘ latOut ‘ a»l) ; 

(REHRITE.RULE [CLIRE ‘nu*C‘ a*l); 

(niD.SPEC.UIIT "t+3" *plitUnit_»poc ‘»plitUnit_*poc asl)J 
CFIRD.SPEC.UIIT2 "t+3" nux3Unit.*poc ‘nux3Unit_sp*c‘ a*l) ); 
(REHRITE.RULE [CLIIE ‘nuxC‘ asl)] 

CFiro.SPEC.UIIT "t+3" nux3Unit_spoc ‘nux3Unit_sp*c‘ a*l) ) 

(Firo.SPEC.UIIT "t+3" addUnit.opoc ‘ addUnit.spoc ‘ a*l) )) 

■ mm x dotomino socData rog Talue(t+4) X 
ASSUK.LIST (\asl . ASSUKE.TACC REHRITE.RULE 
[T 4 ;bitFal*o; CLIIE ‘tapC* a*l); CLIIE ‘data* asl)] 

(SPEC "t+3" CC0IJUICT1C CREVRITE.RULE [rogUnit.spoc] 
(Firo.ASSUK (unit ‘rogUnit.spoc') a*l) )))))) 

THE! X dotomino nonory tsIuo at (t+4) X 
ASSUK.LIST (\a*l . ASSUKE.TACC 
(REHRITE.RULE [CLIIE ‘rReq‘ a*l);T43 
(Firo.SPEC.KEK.UIIT "t+3" a»l)))) 

THE! X dotomino tbIPtr (t+4)X 
ASSUK.LIST (\a*l . ASSUKE.TACC 

(EXPAID.TBLPTR.RULE "t+3" T4 a*l))) 

THEI X impair control linos at (t+4) X 
UIPAIR.TAC S 

THEI X dotomin* latOutCt+4) X 

AS SUM LIST (\asl . ASSUKE.TACC (REHRITE.RULE 

[(*1 1 asl); CLIIE ‘latOut* asl); CLIIE 'addOut' asl);T4] 
(Firo.SPEC.UIIT "t+3" latcbUnit.spoc ‘latchUnit.spoc* asl)))) 
THE! X dotomin* rAddr(t+4) X 
RADDR.TAC "t+3" T4 

THEI X dotomin* socurityUnit dat*(t+5) X 
ASSUH_LIST(\asl . ASSUKE.TACC 

(REHRITE.RULE [CLIIE ‘socData' asl);TS] 

(Firo.SPEC.UIIT "t+4" socUnit.spoc ‘socUnit.spoc* asl) ))) 

X dotomin* control linos at (t+5) X 
THEI 

COITROL.LIIE.TAC "t+4" PHASE. 3.UIIQUE T5 
THEI X dotomin* nonory oalu* at (t+5) X 
ASSUH.LIST (\asl . ASSUKE.TACC 



(REVRITE.RULE [(LIME 'rRoq* m1);T5] 

(FIRD_SPEC_KEH_UIIT "tM" Ml)))) 

THE! X dotorain* tblPtr (t+5)X 
ASSUK.LIST (\ul . ASSUKE_TAC( 

(EXPAID.TBLm.RULE "t+4" T5 ul)» 

THE1 1 impair control lino* at (t+5) X 
UHPAIR.TAC 3 

TEH X dotorain* addOut (t+6) X 
ASSUM.LIST (\ul . ASSUKE.TACC 
REVRITE.RULE [PHASE. 1_URIQUE;T6; 

(REVRITE.RULE [(LIRE 'auxC* Ml); (LIRE 'data* Ml); (LIRE 'rAddr* Ml) 
(FIRD.SPEC.URIT "t+5" *plitUnit.*p*c 'aplitUnit.apoc* ul)] 
(FIRD.SPEC.URIT2 "t+S" »ux3Unit_*poc ‘■ui3Unit_*p#c‘ ul) ) 

OEVRITE.RULE [LIRE ‘auxC* Ml] 

(FIRD.SPEC.URIT "t+S" aux3Unit_*p*c ‘aux3Unit_*p*c‘ Ml) ) 

1 

(FIRD.SPEC.URIT "t+5" addUnit.apoc 'addUnit.apoc* ul) )) 

HER X dotorain* tblPtr (t+6)X 
ASSW_LIST(\m1. ASSUKE.TAC( 

(EXPARD.TBLPTR.RULE "t+S" T6 Ml))) 

THEH X CM*a on talidAccoaa X 

ASK.CASES.TAC "ralidAccoae (r:*rop_ty) 

(vAddrCt + 4) .fetch r(aoa(t ♦ 2),rAddr(t ♦ 2)),ro*(t + 4)) 

/\ 

(ofaLEq r(rAddr(t + 4) .fetch r(a*a(t ♦ 2),rAddr(t + 2))))" 

THERL 

[ 

ASSUK_LIST(\m1 . ASSUKE.TACC 

(REVRITE.RULE [(*1 1 ul)] (LIRE < **cOK‘ Ml)) )) 

X dotorain* control linoa at (t+6) X 
THEM 

ASSUH.LIST (\m1. ASSUME.TAC ( 

REVRITE.RULE (COHJUSCTS PHASE_3_UIIt)UE « 

[(LIRE ‘fdono 1 Ml) ;T6; (LIRE ‘phM*‘ Ml) ;PAIR_EQ; (el 1 ul)]) 
(SPEC "t+S" (KATCH.MP CTRL.URIT.EXPAID 
(UR IT 'controlUnit.apec* ul) )) )) 

HER X dotorain* lat0ut(t+6) X 

ASSUH_LIST(\m1. ASSUKE.TACC (REVRITE.RULE 

[(*1 1 Ml); (LIRE *latOut* Ml); (LIRE ' addOut ‘ m 1);T6] 
(FIRD.SPEC.URIT "t+5" latchUnit.*p*c 'latchUnit.apoc* Ml)))) 

THER X dotorain* rAddr (t+6) X 
RADDR.TAC "t+S" T6 
THER X dotorain* tblPtr (t+7)X 
ASSUK_LIST(\m1. ASSUKE.TACC 

(EXPARD.TBim.RULE "t+6" T7 Ml))) 

X dotorain* control lino* at (t+7) X 
THER 

CORTROL.LIRE.TAC "t+6” PHASE.4.URI QUE T7 

THER POP.ASSUH(\tha. ASSUKE.TACC REVRITE.RULE [PAIR.EQ] tha )) 

THER X dotorain* lat0ut(t+7) X 

ASSUM_LIST(\m1. ASSUKE.TACC (REVRITE.RULE 

[(*1 1 Ml) ; (LIRE ‘latOut* m 1);(LIRE ‘addOut* m 1);T7] 
(FIRD.SPEC.URIT "t+6" latchUnit.apoc 'latchUnit.apoc* Ml)))) 

THEH X dotorain* rAddr(t+7) X 
RADDR.TAC **t+6" T7 

X X 

THER EIISTS.TAC "7" 

THER PURE_ORCE.REVRITE.TAC [Rcxt] 


84 


THO ASSUM_LIST(\m 1 . REWRITE.TAC [ (LIIE ‘done* m 1);(LIIE ‘pha»*' m1>]) 

THE! CDIJ.TAC X craat# rang# and wiu.ap#c aubgoala X 

THEIL 

t RAIGE.TAC "7" "6" 

STRIP.TAC 

THE! X writs rAddr for tins t X 

ASSUM_LIST(\m 1. ASSUME.TAC ( (REWRITE.RULE 
[<•1 15 ul);(«l 17 Ml); 

(REWRITE RULE [BETW.0_7.IS_5] (IIST.SIG.LIST "t+5" ul) ); 
(REWRITE.RULE [BETW.0.7.IS.4] (IIST.SIG.LIST "t+4" ul) )] 

(LIIE ‘rAddr* m1) ))) 

THE! 

PURE.OICE_REWRITE.TAC [uu.spoc] 

THEM AS SUM LIST(\m 1. RE WRITE. TAC [ (REWRITE.RULE 
[ (REWRITE.RULE [BETW.0.7.IS.1] (IIST.SIG.LIST "t+1" Ml) )] 

(LIIE * supor * ul) )]) 

THEI PURE.REWRITE.TAC [usorModo ; logalAccoss] 

THE! EIPAID.LET.TAC 
THE! X writs walidAccoss for tins t X 

ASSUR LIST(\m 1. ASSUME.TAC ( (REWRITE.RULE 
[(REWRITE RULE [BETW.0.7.IS.2] (IIST.SIG.LIST "t+2" Ml) ); 
(REWRITE.RULE [BETW.0.7.IS.4] (IIST.SIG.LIST "t+4" Ml) ); 

(#1 29 aal)] 

(#1 11 asl) > )) 

THEI 

ASSUM_LIST(\m1. REWRITE.TAC [(ol 1 Ml);(«l 2 m1); 

(LIIE ‘tblPtr* Ml) ;PAIR_EQ] ) 

THEI PURE.OICE.REWRITE.TAC [vToR] 

THEI EIPAID.LET.TAC 
THEI REWRITE.TAC □ 

] 

; X Cut whoro * (walidAccoss ... /\ ofsLEq ... ) X 
ASSUH_LIST(\m1. ASSUME.TAC ( 

(REWRITE.RULE [(«1 1 ul)] (LIIE 'socOK‘ Ml)) )) 

X dotomino control linos at (t+6) X 
THEI 

ASSUM.LIST (\m1 . ASSUME.TAC ( 

REWRITE RULE (COIJUICTS PHASE. 3.UII CUE • 

[(LIIE'fdono* Ml) ;T6; (LIIE , phMo‘ Ml) ;PAIR.EQ; (ol 1 Ml)]) 
(SPEC "t+5" (MATCH.MP CTRL.UIIT.EIPAID 
(UIIT ‘controlUnit.spoc' Ml) )) )) 

THEI X dotomino lat0ut(t+6) X 

ASSUM_LIST(\m1. ASSUME.TAC ( (REWRITE.RULE 

[(ol 1 Ml); (LIIE ‘latOut* m 1);(LIIE ‘addOut* m 1);T6] 
(FIID.SPEC.UIIT "t+5" latchUnit.spoc ‘latchUnit.spoc 1 ul)))) 

THEI X dotomino rAddr (t+6) X 
RADDR.TAC "t+5" T6 
THEI EXISTS.TAC "6" 

THEI PURE.OICE.REWRITE.TAC [lext] 

THEI ASSUM_LIST(\m1. REWRITE.TAC [(LIIE ‘dons' m1);(LIIE pbMO ul)]) 

THE! COIJ.TAC X croato rango and uu.spoc subgoals X 

THEIL 

[RA1GE.TAC "6" "5" 

STRIP.TAC 

THEI X writs rAddr for tins t X 

IS SUM LIST(\m1. ASSUME.TAC ( (REWRITE.RULE 
[ (REWRITE.RULE [BETW.0.6.IS.5] (IIST.SIG.LIST "t+S" m1) )] 
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(LIIE ‘rAddr* ul) ))) 


THE! 

mE_OICE.REVRITE.TAC [mu . spec] 

THEM ASSUH_LIST(\m 1. REVRITE.TAC [ (REVRITE.RULE 
t (REWRITE .RULE [BETV_0_6_IS_l] (IIST.SIG.LIST "t+l" ul) )] 
(LIIE ‘super 1 Ml) )]) 

THEM PURE.REVRITE.TAC [userMode;legalAccess] 

THE! EIPAID.LET.TAC 
THEI X write ralidAccess for tine t X 

ASSUM_LIST(\m 1. ASSUME.TAC ( (REVRITE.RULE 
[(REWRITE .RULE [BETV.0.6.IS.2] (IIST.SIG.LIST ”t+2 M Ml) ); 
(REVRITE.RULE [BETV_0_6_IS_4] (IIST.SIG.LIST "t+4" ul) ) ; 
(•1 25 Ml)] 

(•1 T Ml) ) )) 

THEI 

ASSIM_LIST(\m 1. REVRITE.TAC [(el 1 ul);(tl 2 Ml); 

(LIIE ‘tblPtr 4 m1) ;PAIR_EQ] ) 

THEI REVRITE.TAC □ 

1 

] X end validAccess cmu X 


X 

HHU.PROOF - 

I* !r rAddr rAddr vData rwe super reqln xlat ack done sen tblPtr 
tblPtrADDR phase. 

T 

rAddr 

▼Data 


super 

tblPtr 

tblPtrADDR 

reqln 

rAddr 

done 

ack 

xlat 

nan 

phase »*> 

(!t. 

(phase t » 0) »> 

(reqln t *> 

<?c. 

■art done(t,t ♦ c) A 
(phase (t + c) - 0) A 

(stable_sigs t(t ♦ c) rAddr rre tblPtrADDR rData nan super ■■> 
(mu_spec 
r 

(rAddr t) 

(ree t) 

(tblPtrADDR t) 

(tblPtr t) 

(▼Data t) 

(nan t) 

(super t) * 

ack(t ♦ c) .rAddr (t ♦ c).tblPtr(t + c)))) I 


(C»ck(t + 1) - F) /\ 

' (ph*s«(t + 1) * 0) /\ 

(tbXPtr(t + 1) - tblPtr t)))) 
Run tin*: 2419.4s 

Int*r»*di»t* th*or«ns g*n*r*t*d: 121858 


Fil* ssu.prf losdad 

() : void 

Run tin*: 2635.2s 

Int*rn*di*t* th*or*ns g*nsrst*d: 122537 
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